ReliaQuest has uncovered a serious vulnerability in SAP NetWeaver, a popular software platform used by many businesses around the world.
In April 2025, the company investigated several customer incidents involving SAP NetWeaver, a technology integration platform. Bad actors were able to upload unauthorized files and run malicious programs.
ReliaQuest found that attackers had placed “JSP webshells” into public directories, similar to what happens with a remote file inclusion (RFI) vulnerability. Notably, many of the affected systems were already up-to-date with the latest SAP service packs and patches.
This, said ReliaQuest, posed the questions, if attackers were exploiting an old vulnerability (CVE-2017-9844), or if this was this a sign of an unreported RFI issue within SAP systems.
According to the company, SAP’s solutions are likely an attractive target for threat actors for two reasons. First, public sector entities often use them, meaning that successful compromise of SAP vulnerabilities would likely aid access to government-related networks and information.
“As SAP solutions are often deployed on-premises, security measures for these systems are left to users; updates and patches that are not applied promptly are likely to expose these systems to greater risk of compromise,” researchers said.
The researchers said the attackers gained administrator-level access through a misconfigured service called the SAP NetWeaver Remote Management Interface. Once inside, they could move freely through the company’s network, performing reconnaissance and gaining furthe control over internal systems.
This incident is another example of the risks facing firms that use complex software platforms like SAP. Even if companies install security patches, mistakes in configuration or system setup can leave them exposed.
ReliaQuest is urging businesses to review their SAP systems carefully. They recommend checking for misconfigurations, applying the latest patches, and monitoring for suspicious activity — especially on systems that manage sensitive data.
SAP officials confirmed a security issue affecting SAP NetWeaver Visual Composer “SAP was made aware of a vulnerability in SAP NETWEAVER Visual Composer, which may have allowed unauthenticated and unauthorized code execution in certain Java Servlet. A security patch was released on April 24, 2025. Customers were recommended to apply the patch immediately.” The issue is documented in Security Note 3594142 and assigned CVE-2025-31324.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.