Warning from DTC, NCSC and Onapsis: Install emergency patch immediately
The Digital Trust Center (DTC), SAP security partner Onapsis and the National Cyber Security Center (NCSC) sound the alarm about a critical vulnerability in various SAP products. It is a vulnerability with characteristic CVE-2025-31324who is now being actively abused. According to DTC, there are concrete indications that attackers place webshells on affected systems through these vulnerability.
Webshells are tools with which malicious parties can later access the system again. Earlier, the National Cyber Security Center (NCSC) reported that this vulnerability is actively abused. Further research shows that attackers can not only gain access, but also so -called webshells Place via the vulnerability. The webshells are now also traded on the Dark Web, which considerably increases the risk of large -scale abuse. The DTC has therefore increased the threat level to ‘High/High‘which means that both the chance of abuse and potential damage are high.
The vulnerability is in a component of SAP Netweaver Visual Composer called ‘Metadata uploader’. According to DTC, there is no crucial access control mechanism here, so that an attacker can upload to the server without logging in. In addition to SAP Netweaver, other SAP products have also been hit (see list below article).
Emergency patch
An emergency patch has been made available. The DTC urgently advises to install this patch directly and to scan systems on the presence of webshells. Furthermore, regular security updates are available for the other vulnerabilities in the products mentioned in the list.
Companies that are not sure whether they will run the affected SAP software are advised to contact their IT service provider directly. “In addition, keep an eye on the websites of the NCSC and SAP for further updates and action perspectives,” said the DTC. The Onapsis report is here.
In addition to SAP Netweaver, other SAP products have also been affected, including:
SAP Financial Consolidation
SAP Landscape Transformation,
SAP Netweaver Application Server Abap
SAP Commerce Cloud,
SAP ERP BW,
SAP BusinessObjects Business Intelligence Platform
SAP KMC WPC
SAP Solution Manager
SAP S4core
SAP CRM
Source: DTC.
