Latest NetWeaver vulnerabilities #

On April 24, 2025, SAP issued an emergency patch note for several of the Visual Composer development server component of the NetWeaver server.

  • CVE-2025-31324 is rated critical with a CVSSv3 base score of 10.0. Successful exploitation of this vulnerability could lead to remote code execution by remote unauthenticated attackers.

What is the impact? #

A missing authentication check within the Visual Composer Metadata Uploader could allow remote unauthenticated attacker to upload malicious files, such as webshells, to a vulnerable target. They could then directly execute the shells via GET request potentially resulting in system compromise.

The Visual Component development server is not installed by default but is reportedly very commonly installed and used.

Are updates or workarounds available? #

SAP has issued patches and provided some mitigation guidance for all affected software. Refer to the advisory above for more information. The official documentation indicates that NetWeaver 7.50 and higher are impacted but there have been reports that this impacts 7.1x as well.

How to find NetWeaver installations with runZero #

From the Asset inventory, use the following query to locate assets running any version of NetWeaver:

product:NetWeaver

From the Software inventory, use the following query to locate assets running any version of NetWeaver:

vendor:="SAP" AND product:"NetWeaver" AND (version:>7.0 AND version:<7.55)

March 2025 : SAP Commerce, Commerce Cloud and NetWeaver vulnerabilities #

On March 11th, 2025, SAP issued an advisory for several of their products including Commerce, Commerce Cloud and NetWeaver.

  • CVE-2025-26661 is rated high with a CVSSv3 base score of 8.8. Successful exploitation of this vulnerability could lead to privilege escalation and the potential disclosure of sensitive information.

What is the impact? #

A missing authorization check within the ABAP Class Builder could allow an authenticated attacker, or malicious user to escalate their privileges, which could lead to the disclosure of sensitive information.

Are updates or workarounds available? #

SAP has issued patches for all affected software. Refer to the advisory above for more information.

How to find NetWeaver installations with runZero #

From the Asset inventory, use the following query to locate assets running any version of NetWeaver:

product:NetWeaver

February 2022: SAP NetWeaver vulnerabilities #

A set of recently patched SAP vulnerabilities has been surfaced by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), with their recommendation to patch as soon as possible. Discovered and disclosed by security researchers at Onapsis, these three vulnerabilities are referred to as ICMAD and affect SAP applications which utilize the SAP Internet Communication Manager (ICM).

Which SAP NetWeaver versions are affected? #

Some versions of SAP NetWeaver contain all three of these ICMAD vulnerabilities:

  • CVE-2022-22536 (CVSS "critical" score of 10.0) - vulnerable to request smuggling and request concatenation, successful exploitation by an unauthenticated attacker resulting in code execution, victim impersonation, data exfiltration, denial of service, and more. In addition to NetWeaver, some versions of SAP Web Dispatcher and SAP Content Server also contain this vulnerability.
  • CVE-2022-22532 (CVSS "high" score of 8.1) - vulnerability in shared memory handling, successful exploitation by an unauthenticated attacker resulting in code execution, victim impersonation, or taking over the victim's logon session.
  • CVE-2022-22533 (CVSS "low" score of 3.7) - vulnerability in error handling which could result in a denial of service attack by exhausting available memory, leading to system shutdown.

Is a security patch available? #

Yes. SAP made patched software available earlier this week. While there currently are no known customer breaches related to exploitation of the ICMAD vulnerabilities, SAP does strongly recommend that admins update to the latest available versions as soon as possible.

How do I find potentially vulnerable SAP NetWeaver instances with runZero? #

From the Asset Inventory, use the following pre-built query to locate SAP NetWeaver assets within your network that are potentially vulnerable:

product:netweaver
Find SAP instances

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try runZero #

Don't have runZero and need help finding potentially vulnerable SAP instances? Start your runZero trial today.

Written by runZero Team

Great research and development is a team effort! Multiple runZero team members collaborated on this post. Go team!

More about runZero Team

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Discover the new era of exposure management!