Attacked SAP flaw: Hundreds of vulnerable servers in the network
On Friday, SAP patched a security vulnerability in SAP Netweaver that had already been attacked. Hundreds of servers are still vulnerable.
There are security gaps in SAP products.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Out of turn, SAP patched a security vulnerability in SAP Netweaver on Friday. It later emerged that this leak is already being attacked in the wild. IT researchers are currently still seeing hundreds of vulnerable systems that can be accessed from the Internet.
The vulnerability allows attackers from the network to inject and execute arbitrary code without prior login. IT managers should patch the vulnerability immediately with the available update if they have not already done so. However, the IT researchers at the Shadowserver Foundation have discovered hundreds of vulnerable systems that are still accessible on the network.
On Saturday, the Shadowserver employees were able to identify more than 450 IPs behind which vulnerable Netweaver instances were located. Interesting insights can be gained over time.
| 26.04.2025 | 27.04.2025 | 28.04.2025 | |
| USA | 149 | 132 | 112 |
| Indien | 50 | 45 | 37 |
| Australien | 37 | 38 | 35 |
| Deutschland | 30 | 29 | 29 |
| China | 31 | 26 | 18 |
IT managers in the largest affected countries have evidently taken action: More than a quarter of the vulnerable systems in the USA have been secured since Saturday, in India almost a quarter, and China is approaching a fix rate of more than 40 percent. In Australia and Germany, on the other hand, the situation looks rather poor: One in 30 systems has been secured or is no longer accessible on the network, in Australia at least two out of 37 – after even a vulnerable instance was initially added on Sunday.
Videos by heise
Admins should definitely check their SAP Netweaver systems and apply the update if necessary. Details on the vulnerability and helpful hints such as Indicators of Compromise (IOCs) can be found in a blog post by Onapsis.
Initially, it was only known that a vulnerability report was published by SAP during the course of Thursday. It concerns the "SAP NetWeaver Visual Composer Metadata Uploader" component, which is apparently not activated by default, but is classified by IT security researchers as a very frequently used optional module. The vulnerability allows attackers to inject malicious code without prior authentication (CVE-2025-31324, CVSS 10.0, risk "critical").
(dmk)
