The Critical Vulnerability CVE-2025-31324 in SAP NetWeaver The Extent of the Threat SAP Vulnerabilities: A Recurring and Multifaceted Problem

Summary

SAP systems, which manage a company's most critical data and processes, are increasingly targeted by cyberattacks. The pervasive use and the sensitive nature of the data within these systems mean they can no longer remain isolated from cyber threats. Threats originate from both internal sources like data theft by disgruntled employees and external vectors such as ransomware and sophisticated attacks exploiting known vulnerabilities. SAP systems are often delivered with "very open" default configurations, and the increasing use of HTML5 interfaces and APIs expands the attack surface. Despite the critical risks, security is often underestimated, underfunded, and treated as a secondary concern in SAP projects. A lack of collaboration and understanding between SAP teams and general cybersecurity teams exacerbates the problem.

Common vulnerabilities include the failure to apply security patches released by SAP, issues in custom code, configuration flaws in components like SAPRouter and Gateway, and weaknesses in protocols like DIAG, which can transmit data in cleartext. Password management and hashing mechanisms can also be exploited. Specific critical vulnerabilities, such as CVE-2025-31324 affecting SAP NetWeaver, are actively being exploited, impacting thousands of exposed servers.

Addressing SAP security requires a holistic and continuous approach. This involves systematic patch management, regular security assessments including penetration testing, integrating security into development processes, and leveraging specialized security tools. Integrating SAP security monitoring into a centralized Security Information and Event Management (SIEM) system is crucial to bridge the gap between SAP security and broader cybersecurity efforts, enabling faster detection and response to incidents. Frameworks like the SAP Secure Operations Map provide a structured approach to cover the various layers and aspects of SAP security.

Table of Contents

Introduction The Critical Vulnerability CVE-2025-31324 in SAP NetWeaver The Extent of the Threat SAP Vulnerabilities: A Recurring and Multifaceted Problem

Unpatched SAP Vulnerabilities Vulnerabilities in Custom SAP Code Configuration Flaws Protocol and Password Vulnerabilities Vulnerabilities in Specific Components SAP Security: A Blind Spot and Organizational Challenges Strengthening SAP Security: A Holistic and Integrated Approach Conclusion

Introduction

SAP systems serve as Enterprise Resource Planning (ERP) solutions used by large companies to manage various business flows, including human resources, sales, and procurement. They are built around a modular structure and a unique database. These systems are the repository for most of a company's strategic data and intellectual property, making them essential for business operations.

Due to the high-value data they contain and their widespread use, ERP systems like SAP are increasingly under attack from cyber threats. Attackers are focusing on critical systems and components, exploiting known vulnerabilities in the technical and infrastructure layers. Historically, security efforts in SAP have often been limited, prioritizing regulatory compliance and focusing mainly on roles and authorizations, leaving significant security gaps. With the evolving digital landscape, a more robust approach to security is essential to address the increasing risks organizations face. Ensuring the security of the SAP environment is vital, as a cyber-attack can be immobilizing, leading to significant business disruption and substantial financial impact.

The Critical Vulnerability CVE-2025-31324 in SAP NetWeaver

A critical security vulnerability, referenced as CVE-2025-31324, is currently being actively exploited. This flaw affects SAP NetWeaver, a platform designed to connect and run SAP and non-SAP applications. Specifically, the vulnerability resides within the Visual Composer development server component of SAP NetWeaver Visual Composer.

Exploiting CVE-2025-31324 allows a remote attacker to upload an executable file onto a vulnerable server. The exploit requires no user interaction and no prior authentication, making it particularly attractive to attackers. Successful exploitation can lead to the compromise of the server. Security firms like ReliaQuest and watchTowr have confirmed that this vulnerability is actively being exploited. Rapid7 noted exploitation as early as March 27, 2025. Attackers are using this vulnerability to deploy web shells on affected servers, sometimes named cache.jsp, helper.jsp, or with random names. The CERT-FR has also reported awareness of several compromises linked to this vulnerability.

The vulnerability impacts SAP NetWeaver version VCFRAMEWORK 7.50 that does not have the latest security patch. While the affected component, Visual Composer development server, is not installed by default, it is frequently used. SAP released a security patch for this vulnerability on April 25, 2025, following a mitigation measure published on April 8, 2025. To verify if the component is active, one can check the URL http://hote:port/nwa/sysinfo for the presence of VISUAL COMPOSER FRAMEWORK (VCFRAMEWORK.SCA or VCFRAMEWORK). If the line shows NO, the component is not installed. Before applying the patch, checking web server logs for suspicious requests and looking for JSP, JAVA, or CLASS files in specific directories (e.g., C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root) is recommended as an indicator of compromise.

The Extent of the Threat

The increasing volume of critical data flowing through information systems presents opportunities for cybercriminals. SAP's widespread use and the sensitive data it manages make it an attractive target globally. A cyber-attack on SAP systems can have devastating consequences for business activities, including financial losses and damage to reputation. The average cost per hour of ERP system unavailability can be significant, noted as $50,000 according to a 2024 report.

The CVE-2025-31324 vulnerability has a CVSS score of 10 out of 10, highlighting its critical nature. Analyses indicate a significant number of exposed and vulnerable servers. The Shadowserver Foundation identified over 420 exposed and vulnerable servers, including 102 in Europe. However, analyses by Onyphe, a French company, suggest a more alarming situation, identifying 1,284 unique IP addresses vulnerable out of 3,716 accessible SAP appliances on the internet. Onyphe also reported that 474 SAP servers were already compromised. Among the affected entities were companies from the CAC 40, SBF 120, and Global 500 / Fortune 500 rankings. The ongoing nature of these attacks emphasizes the need for enterprises to react quickly to avoid potentially disastrous compromises.

SAP Vulnerabilities: A Recurring and Multifaceted Problem

The security of SAP systems is a growing concern for businesses, as vulnerabilities can have devastating consequences for the confidentiality, integrity, and availability of enterprise data. Certain vulnerabilities are considered critical and require particular attention. SAP systems face a range of vulnerabilities, from unpatched issues and custom code flaws to configuration errors and weaknesses in protocols.

Unpatched SAP Vulnerabilities

Software vendors like SAP regularly release updates to address new threats and vulnerabilities. SAP informs its clients through security notes, publishing a significant number each year, such as 196 in 2022, a figure that is constantly increasing. However, despite this, many critical vulnerabilities in SAP systems remain unpatched.

According to a study by Onapsis, many critical vulnerabilities allow hackers to access the application or operating system, elevate privileges, or compromise systems. Specific vulnerabilities like CVE-2020-6287 and CVE-2020-6207, identified by Onapsis and SAP, have been exploited by hackers. Exploits for these vulnerabilities are publicly accessible, some even on GitHub. Other critical vulnerabilities include CVE-2022-22536.

The failure to apply security notes is a significant issue. For example, Security Note 2986980, related to CVE-2021-21468, was released in January 2021, but in an example, it was not found applied to an environment. CVE-2021-21468 allows calling a function module without authorization control. Successful exploitation could allow an attacker to read the entire database by invoking the function remotely via the RFC protocol. Retrieving the password hash value via this method can facilitate a dictionary attack to recover the password in cleartext. Correcting this requires applying updates and security patches and restricting remote user access to sensitive transactions.

Staying informed about SAP vulnerabilities involves regularly reading SAP security notes and following CISA's catalogue of known exploited vulnerabilities. Ten vulnerabilities affecting SAP are currently listed in this catalogue. The table CWBNTMSG can be used to check if a security note has been applied. Applying SAP Notes and installing security patches is a fundamental step to prevent attacks, such as those related to the RFC_SET_REG_SERVER_PROPERTY function.

Vulnerabilities in Custom SAP Code

Organizations frequently customize their SAP application code to meet specific needs. However, it is crucial to regularly check this personalized code for potential flaws. Vulnerabilities in custom code present an increased risk of internal exploitation because they can be exploited with an appropriate user and access level.

The most critical vulnerabilities in custom code include ABAP command injections, operating system command injections, and OSQL injections, as these can lead to a total system compromise. Other development code flaws reported by SAP include URL redirection, lack of content verification during HTTP downloads, and sensitive data read/write access in databases. Artificial intelligence technologies can be used to assist in code creation, such as ABAP code for URL redirection using ChatGPT.

To prevent vulnerabilities related to custom code, it is recommended to use security tools provided by SAP, such as SAP Code Vulnerability Analyzer (CVA), SAP Enterprise Threat Detection (ETD), SAP Security Scanner, or other market tools. However, these tools do not guarantee complete security, as unknown vulnerabilities may still exist, highlighting the importance of good governance for development teams and practices. SAP provides a code inspector with modules like the Code Vulnerability Analyzer to check custom code.

Configuration Flaws

Misconfigurations are still frequently observed in SAP environments. SAP systems are often delivered in a very open standard configuration, making them susceptible to attacks if not properly secured. The definition of parameters in the system is fundamental to SAP security, affecting how access is granted or denied and what communication is allowed. These settings, stored in files and managed via SAP Profile Parameters transactions, need appropriate definitions at the operating system, database, and application layers. Unfortunately, these configurations are often insufficient in the standard SAP system.

Specific configuration issues include those related to SAPRouter and Gateway. SAPRouter acts as a proxy between an external network and an SAP system, redirecting authorized connections. If recording permissions are too permissive, it can enable attacks. A critical risk is allowing connections to the SAP infrastructure from any network if the SAPRouter is not properly configured, potentially allowing extraction of sensitive information like system details or active connections. A misconfigured SAPRouter can also be used as a proxy to attack the network through port scanning, vulnerability searches, or exploitation.

The RFC Gateway is described as the internal firewall of SAP and must be precisely configured (RegInfo, SecInfo) to prevent unauthorized remote access. Attacks leveraging the Gateway configuration can allow the registration of malicious servers, potentially leading to denial of service. SAP best practices and recommendations from user groups like DSAG include proven security-focused parameters and test catalogs.

Protocol and Password Vulnerabilities

Weaknesses in SAP protocols and password handling can also be exploited. The DIAG protocol (Dynamic Information and Action Gateway), used by the SAPGUI client to communicate with an SAP instance, compresses data but does not encrypt it by default. This means data, including credentials, transit in cleartext on the network and can be intercepted by tools like Wireshark or Cain&Abel. Figure 1 in source shows an example of credentials obtained with Wireshark. To prevent this, SAP recommends adding an encryption layer using the SNC (Secure Network Communications) interface, which provides authentication, integrity, and confidentiality through certificates, similar to SSL.

Password security in SAP can be compromised through various means. Retrieving the password hash value, potentially through vulnerabilities like CVE-2021-21468, can facilitate dictionary attacks. Disclosure of password hashes often occurs when accessing the database. Due to backward compatibility requirements, the security level of hashes might default to the weakest algorithm used, such as MD5. With version B, passwords are truncated to eight characters. Cracking this shorter MD5 hash can compromise longer SHA-1 hashes by providing the first eight characters as a dictionary prefix. User passwords are often not significantly longer than this, making this first part critical for gaining access. Onapsis has published detailed methods on this. If backward compatibility is not required, disabling the mechanism by setting the login/password_downwards_compatibility parameter to 0 via transaction RZ11 is recommended. SAP offers transactions like SA38/RSUSR003 to assess user password status, but these need to be actively used. The special SAP* user is a super-user created on each client, which in some versions was automatically regenerated with a known default password "PASS". In later versions (post 2009-2010), DDIC and SAP* users in clients 000 and 001 have the master password set during installation.

Vulnerabilities in Specific Components

Specific SAP components can also be sources of vulnerabilities. For instance, the SAPHostControl component, a webservice for managing an SAP instance, had authorization defects. Specially crafted SOAP calls could obtain system information like IP addresses, operating systems, and usernames. This vulnerability could be exploited with Metasploit. Another vulnerability related to SAPHostControl's role in authenticating users to the database involved a lack of input validation for transmitted parameters. This allowed for parameter injection, making anonymous execution of system commands possible. Metasploit and the "SAP Pentest tool" included modules to exploit this.

The SAPRouter component, acting as a proxy, can also have vulnerabilities beyond misconfiguration. If not properly secured, it can allow information disclosure, revealing system information, or details about active connections. Tools like Bizploit and Metasploit have modules to exploit such SAPRouter vulnerabilities. Exploiting the SAPRouter can provide insight into the internal network addressing and allow its use as a proxy for network scanning.

SAP Security: A Blind Spot and Organizational Challenges

Despite the critical importance of SAP systems as repositories of sensitive data, their security is often overlooked or represents a "blind spot" for companies. The complexity and uniqueness of SAP systems make it challenging to develop appropriate cybersecurity measures.

SAP has historically been viewed as a separate world, like an island. While progress has been made in managing roles and authorizations for business users, often following financial scandals, the situation is very different for technical profiles. There can be significant security lapses, such as granting all users access to all data tables via a single transaction, which was seen as a budgetary trade-off during projects but had serious repercussions on confidentiality.

Securing an SAP system is far from straightforward. Vigilance is required from the initial architecture definition because systems are delivered with very open standard settings. Security tasks are often not anticipated, particularly in project budgets, which prioritize the system's functional operation over security. Security can inherit a "poor relation" status, which is particularly damaging given the colossal nature of the task. Securing existing, interconnected systems with high availability constraints is even more complex and expensive.

As a result, the deployment of good practices recommended by SAP in its Security Baseline is far from generalized. SAP integrators themselves may sometimes overlook these practices to avoid increasing project costs or alarming IT departments. Furthermore, security is not just a project phase; in production, it requires continuous effort to reduce the attack surface across various levels: user access, indirect access, technical layer access, specific development flaws, etc..

Applying security patches published by the vendor can be time-consuming, even with the tools provided by SAP. The non-regression tests required after applying patches also consume significant resources. This contributes to security gaps persisting, even on basic aspects like patch management and access control.

Another challenge is the disconnect between SAP security and general cybersecurity teams. Historically, SAP security has been managed primarily by the SAP department, often part of finance or IT operations, focusing on identity, access control, and authorizations. It rarely involves collaboration with the cybersecurity team, which manages enterprise infrastructure security. This siloed structure prevents organizations from uniting these key departments to defend valuable assets. Cybersecurity teams may lack SAP security knowledge, while SAP departments may lack fundamental cybersecurity knowledge. This is amplified because many SAP clients rely on basic tools and do not deploy SAP Enterprise Threat Detection (ETD).

While SAP ETD supports monitoring compliance, system parameters, and activity in near real-time, it focuses solely on SAP security information. It does not correlate SAP data with data from the surrounding IT infrastructure collected by a SIEM system used by the cybersecurity team. This limitation isolates SAP security, creating a gap and making SAP systems vulnerable to attackers who exploit this situation.

A survey by Ponemon Institute highlighted that executives underestimate the security risks to SAP applications. The survey found that due to significant customization, most SAP systems are exposed and have unpatched vulnerabilities. Responsibility for SAP application security is also a point of contention, with 54% believing it falls to SAP. Recognizing the importance, SAP appointed its first Chief Security Officer (CSO), Justin Somaini, in January 2016.

Strengthening SAP Security: A Holistic and Integrated Approach

Protecting SAP systems against cyberattacks requires a comprehensive and continuous approach. Cybersecurity for SAP should not be a one-time task but an established permanent process with adequate resources, assigned responsibilities, and skill development.

A thorough approach goes beyond the traditional focus on financial and regulatory compliance. It involves a holistic view of security across the entire SAP technology stack, including the organization, process, application, system, and environment levels, as outlined in the SAP Secure Operations Map.

Key practices for strengthening SAP security include:

• Systematic Patch Management: Applying SAP Security Notes and installing patches is essential. This requires a systematic approach to assess and prioritize security notes and careful planning. However, maintaining systems up-to-date and installing patches systematically can be challenging.
• Security Assessments and Testing: Performing assessments, testing defined controls, and retesting after implementation are crucial. This includes internal control access assessments, change and transport procedure assessments, network/architecture assessments, OS/DBMS security assessments, SAP NetWeaver security assessments, and checks of specific components (Gateway, Messenger Server, Portal, Router, GUI). Penetration tests before or after system transitions help identify vulnerabilities. Third-party testing verifies risks for connected systems. Solutions like Performer for Audit can optimize the audit process and provide dashboards for risk status.
• Integrating Security into Processes: Integrate security requirements into project design from the outset and conduct threat modeling early on. Ensure good governance for development teams and practices.
• Leveraging Security Tools: Utilize security tools provided by SAP (Code Vulnerability Analyzer, Enterprise Threat Detection, Security Scanner) or other market tools. Tools like SecurityBridge can help prioritize security tasks and provide static and dynamic analysis of SAP environments, including monitoring exchanges and events. These tools can also feed into a SIEM system.
• Holistic Monitoring and SIEM Integration: Adopt a modern SAP security approach that combines SAP security information with contextual security information from the surrounding IT infrastructure within a SIEM. A SIEM collects data from various sources across the IT environment. Integrating SAP security monitoring into a centralized SIEM provides significant value for cybersecurity, IT operations, compliance, and business activity analysis. This helps bridge the gap between SAP security and general cybersecurity, enabling faster detection and response to incidents. Modern SIEM SAP or Next-Gen SIEM solutions support mapping threats to frameworks like MITRE ATT&CK and using playbooks for automated incident response.
• Secure Configuration: Ensure secure configuration of SAP servers, including activating security logging (SAP Security Audit Log, Change Logs, Read Access Log), securing system communication, and data security. Define appropriate security parameters at all layers. Precisely configure the RFC Gateway to prevent unauthorized remote access.
• Code Security: Address security in custom ABAP code. SAP provides tools like the Code Vulnerability Analyzer for this.
• Access Management: Crucially review and manage roles and authorizations, particularly avoiding critical permission combinations unless necessary (e.g., firefighter accounts). Continuously and automatically review permissions and combinations. Monitor critical transactions, RFC modules, and reports in near real-time. Monitor external access via SAP interfaces like RFC. The SAP Read Access Log can store read/write access to specific fields, reports, or programs, which is essential for GDPR compliance regarding personal data access logging.

KPMG firms offer specialized SAP security services, including security assessments based on the SAP Secure Operations Map, going beyond traditional compliance to provide a holistic view. Their approach includes configuration validation, automated monitoring, and standardized guidelines.

Conclusion

SAP systems, holding critical enterprise data, are significant targets for cyber threats, both internal and external. The increasing openness of these systems and the historical tendency to underprioritize security leave many environments exposed. Common vulnerabilities stem from a failure to patch systems, flaws in custom code, misconfigurations, and protocol weaknesses. The active exploitation of critical vulnerabilities like CVE-2025-31324 underscores the immediate need for action.

Strengthening SAP security requires moving beyond a siloed approach. It demands a holistic, continuous process that integrates SAP security into the broader cybersecurity strategy. Key actions include diligent patch management, regular security assessments and testing, securing custom code, correcting misconfigurations, and establishing robust access controls. Crucially, integrating SAP security monitoring into a central SIEM system bridges the gap between SAP teams and cybersecurity teams, improving threat detection and incident response. By adopting these practices and leveraging appropriate tools and frameworks, organizations can significantly enhance the protection of their critical SAP landscapes.

🌐 Website: www.truetechnologie.com
📧 Email: lamine.diouf@truetechnologie.com/diouf78@gmail.com
📞 Phone: +221 77 856 27 66

Certifications:
CISA | ISO 27001 Lead Auditor | QualysGuard Specialist | CISSP | ITIL | COBIT 2019 | CCNP | Fortinet NSE 6, 7, 8 | VMCE | PCNSE