Security researchers have confirmed active exploitation of a critical vulnerability in SAP NetWeaver Visual Composer, a development environment widely used in enterprise environments to create business applications. The vulnerability, tracked under CVE-2025-31245, allows unauthenticated remote attackers to execute arbitrary code on affected systems.
Thousands of SAP Systems Exposed
According to multiple security firms, more than 2,500 internet-exposed SAP NetWeaver systems are vulnerable, with many already compromised. The flaw impacts all unpatched versions of Visual Composer running on SAP NetWeaver Application Server Java.
What Makes This Vulnerability Critical?
This zero-day flaw enables attackers to bypass authentication and gain remote code execution (RCE). Once exploited, attackers can deploy malware, exfiltrate sensitive data, or move laterally across enterprise networks.
Confirmed Compromises and Active Exploitation
Threat intelligence teams have identified coordinated exploitation campaigns targeting organizations in finance, manufacturing, and the public sector. Researchers from Rapid7 and Shadowserver have observed malicious payloads and command-and-control communications stemming from compromised SAP servers.
SAP Urges Immediate Patch Deployment
SAP has released a security patch and strongly urges administrators to:
- Apply the latest patch for Visual Composer immediately
- Restrict public access to SAP NetWeaver components
- Monitor logs for unusual activity
- Conduct a full security audit of SAP systems
How to Check If You're Affected
Admins can verify vulnerability exposure by:
- Checking system versions against SAP's patch bulletin
- Using vulnerability scanners like Tenable or Qualys
- Reviewing web server access logs for suspicious requests
Conclusion
The SAP NetWeaver Visual Composer vulnerability is now a critical priority for IT teams worldwide. With active exploitation confirmed and thousands of systems exposed, patching and monitoring are essential to prevent compromise. Enterprises using SAP should act immediately to secure their infrastructure.