On 24 April 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver’s Visual Composer Framework, version 7.50.
Unit 42 attribute the first exploitation of this vulnerability to January 2025, with a noticeable increase in April around the time of disclosure.
Attackers exploited this vulnerability to deploy various web shells, such as ran.jsp, and reverse SSH proxies for persistent access.
SAP NetWeaver users should refer to SAP’s guidance on fixing this vulnerability.
Palo Alto Networks customers are protected by several of our products, and Unit 42 has shared this intelligence with the Cyber Threat Alliance to help accelerate industry protection.
