SAP NetWeaver: New vulnerability of highest criticality disclosed

Onapsis warns of possible exploitation of the vulnerability

[datensicherheit.de, 04/27/2025] According to a recent report by Onapsis, several security incidents in connection with “SAP NetWeaver” became known in April 2025: According to the report, cyber attackers allegedly exploited “JSP webshells” to perform unauthorized file uploads and execute arbitrary code. The vulnerability affects the “SAP Visual Composer” component of “SAP Java” systems and allows unauthenticated threat actors to upload arbitrary files, including remote webshells, to SAP applications. “This leads to an immediate and complete compromise of these systems!” Most critically, potential cyber attacks could bypass traditional ERP security mechanisms.

Onapsis summarizes findings on critical SAP NetWeaver zero-day vulnerability:

• Cyber criminals are actively exploiting a new highly critical zero-day vulnerability with “CVSS 10.0” in SAP applications.
• Attackers could gain complete control over critical business processes and information in SAP applications or install ransomware, which could lead to widespread disruption and loss.
• Cyber attacks could take place via the internet and be directed against cloud/internet-based SAP applications, but also against internal SAP systems.
• Potentially affected are all customers who use the vulnerable SAP NetWeaver component in Cloud/RISE with SAP environments, cloud-native and on-premise deployment models.

At-risk customers should apply the emergency patch provided by SAP as soon as possible. “If vulnerable systems were connected to the Internet, customers should assume a security breach and initiate emergency measures!”

“SAP Threat Intelligence System” by Onapsis confirms possibility of vulnerability exploitation

The “SAP Threat Intelligence System” from Onapsis has confirmed the possible exploitation of the vulnerability that was initially disclosed by ReliaQuest. In addition, the Onapsis Research Labs have identified thousands of SAP applications that may be at risk of cyber security breaches due to this vulnerability.

SAP made an emergency patch available on April 24 – vulnerable customers should apply it as soon as possible. “If Internet-enabled ‘cloud’ SAP systems are in use, customers should assume a security breach and take appropriate emergency measures, including applying ‘SAP Security Note 3594142’ or checking ‘3596125’ for possible solutions.”

Further information on this topic:

ONAPSIS
Erfahren Sie mehr über die wichtigsten Offenlegungen von ORL mit SAP und CISA

SAP
Management von Sicherheitsproblemen: SAP legt größten Wert darauf, Sicherheitsprobleme im Zusammenhang mit unserer Software und unseren Cloud-Lösungen zu ermitteln und zu beheben.

RELIAQUEST, ReliaQuest Threat Research Team, 25.04.2025
ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver

heise online, Dirk Knop, 25.04.2025
SAP patcht kritische Schwachstelle außer der Reihe / SAP veranstaltet monatliche Patchdays. Eine kritische Sicherheitslücke nötigt das Unternehmen nun zum Update außer der Reihe.

datensicherheit.de, 08.04.2021
Kritische SAP-Anwendungen im Fokus Cyber-Krimineller / CISA und Tenable warnen vor ungepatchten SAP-Systemen

datensicherheit.de, 22.01.2021
SAP Solution Manager: Schwere Sicherheitsschwachstelle aufgetaucht / Tenable warnt vor Patch-Müdigkeit