![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
_NicoElNino_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Standalone Meta AI App Released for iPhone [Download]](https://www.iclarified.com/images/news/97157/97157/97157-640.jpg)
Maximum severity vulnerability puts over 1200 SAP NetWeaver servers at risk of hijacking
A workaround and a patch are already available but many firms have already been breached.
- SAP disclosed a 10/10 flaw in NetWeaver Visual Composer
- The bug allows threat actors to upload malware
- Researchers claim up to 1,200 instances are vulnerable
More than 1,200 SAP instances are at risk of being hijacked, researchers are saying, as a critical vulnerability was found being abused in the wild. Earlier this week, SAP said it found an unauthenticated file upload vulnerability in NetWeaver Visual Composer’s Metadata Uploader component.
Visual Composer is a development tool that allows users to build web-based business applications without writing code. It’s mostly used to create dashboards, forms, and interactive reports. The Metadata Uploader, on the other hand, is a tool for importing external data models (metadata) into the Visual Composer design environment. This allows developers to connect to remote data sources (web services, databases, or SAP systems).
The vulnerability SAP found is now tracked as CVE-2025-31324. It carries the maximum severity score (10/10), and stems from the fact that the uploader is not protected with proper authorization, allowing unauthenticated actors to upload malicious executables.
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)View Deal
Fortune 500 at risk
When it discovered the bug, SAP first released a workaround, and then in late April, a patch.
Now, users are advised to apply it as soon as possible, since multiple cybersecurity firms confirmed the flaw being abused in the wild. According to BleepingComputer, ReliaQuest, watchTowr, and Onapsis, are just some of the firms that observed the bug being exploited in attacks in which threat actors were dropping web shells on vulnerable servers.
SAP, however, told BleepingComputer that it is not aware of any attacks that impacted customer data or systems.
The jury is still out on how many organizations are actually vulnerable. While the Shadowserver Foundation claims 427 servers are exposed on the internet, Onyphe says there are 1,284 instances, 474 of which are already compromised.
"Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised," Onyphe CTO Patrice Auffret told BleepingComputer.
Via BleepingComputer
You might also like
- This critical security flaw is letting SAP users get around authentication
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
