🗓️ Join us & Jay Jacobs (EPSS Lead Data Scientist) for a very special runZero Hour. Register Now!

On This Page:

  1. Latest NetWeaver vulnerabilities
  2. What is the impact?
  3. Are updates or workarounds available?
  4. How to find NetWeaver installations with runZero
  5. March 2025 : SAP Commerce, Commerce Cloud and NetWeaver vulnerabilities
  6. What is the impact?
  7. Are updates or workarounds available?
  8. How to find NetWeaver installations with runZero
  9. February 2022: SAP NetWeaver vulnerabilities

How to find SAP NetWeaver instances on your network

runZero Team
Tom Sellers
|
Updated

Latest NetWeaver vulnerabilities #

On April 24, 2025, SAP issued an emergency patch note for several of the Visual Composer development server component of the NetWeaver server.

  • CVE-2025-31324 is rated critical with a CVSSv3 base score of 10.0. Successful exploitation of this vulnerability could lead to remote code execution by remote unauthenticated attackers.

What is the impact? #

A missing authentication check within the Visual Composer Metadata Uploader could allow remote unauthenticated attacker to upload malicious files, such as webshells, to a vulnerable target. They could then directly execute the shells via GET request potentially resulting in system compromise.

The Visual Component development server is not installed by default but is reportedly very commonly installed and used.

Are updates or workarounds available? #

SAP has issued patches and provided some mitigation guidance for all affected software. Refer to the advisory above for more information. The official documentation indicates that NetWeaver 7.50 and higher are impacted but there have been reports that this impacts 7.1x as well.

How to find NetWeaver installations with runZero #

From the Asset inventory, use the following query to locate assets running any version of NetWeaver:

product:NetWeaver

From the Software inventory, use the following query to locate assets running any version of NetWeaver:

vendor:="SAP" AND product:"NetWeaver" AND (version:>7.0 AND version:<7.55)

March 2025 : SAP Commerce, Commerce Cloud and NetWeaver vulnerabilities #

On March 11th, 2025, SAP issued an advisory for several of their products including Commerce, Commerce Cloud and NetWeaver.

  • CVE-2025-26661 is rated high with a CVSSv3 base score of 8.8. Successful exploitation of this vulnerability could lead to privilege escalation and the potential disclosure of sensitive information.

What is the impact? #

A missing authorization check within the ABAP Class Builder could allow an authenticated attacker, or malicious user to escalate their privileges, which could lead to the disclosure of sensitive information.

Are updates or workarounds available? #

SAP has issued patches for all affected software. Refer to the advisory above for more information.

How to find NetWeaver installations with runZero #

From the Asset inventory, use the following query to locate assets running any version of NetWeaver:

product:NetWeaver

February 2022: SAP NetWeaver vulnerabilities #

A set of recently patched SAP vulnerabilities has been surfaced by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), with their recommendation to patch as soon as possible. Discovered and disclosed by security researchers at Onapsis, these three vulnerabilities are referred to as ICMAD and affect SAP applications which utilize the SAP Internet Communication Manager (ICM).

Which SAP NetWeaver versions are affected? #

Some versions of SAP NetWeaver contain all three of these ICMAD vulnerabilities:

  • CVE-2022-22536 (CVSS "critical" score of 10.0) - vulnerable to request smuggling and request concatenation, successful exploitation by an unauthenticated attacker resulting in code execution, victim impersonation, data exfiltration, denial of service, and more. In addition to NetWeaver, some versions of SAP Web Dispatcher and SAP Content Server also contain this vulnerability.
  • CVE-2022-22532 (CVSS "high" score of 8.1) - vulnerability in shared memory handling, successful exploitation by an unauthenticated attacker resulting in code execution, victim impersonation, or taking over the victim's logon session.
  • CVE-2022-22533 (CVSS "low" score of 3.7) - vulnerability in error handling which could result in a denial of service attack by exhausting available memory, leading to system shutdown.

Is a security patch available? #

Yes. SAP made patched software available earlier this week. While there currently are no known customer breaches related to exploitation of the ICMAD vulnerabilities, SAP does strongly recommend that admins update to the latest available versions as soon as possible.

How do I find potentially vulnerable SAP NetWeaver instances with runZero? #

From the Asset Inventory, use the following pre-built query to locate SAP NetWeaver assets within your network that are potentially vulnerable:

product:netweaver
Find SAP instances

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try runZero #

Don't have runZero and need help finding potentially vulnerable SAP instances? Start your runZero trial today.

Written by runZero Team

Great research and development is a team effort! Multiple runZero team members collaborated on this post. Go team!

More about runZero Team

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Watch Now • On Demand
Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now
runZero Hour, Episode 17
The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
Watch Now
Product Release
Tackling the New Era of Exposure Management
Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
Read More
Webcast
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
© Copyright 2025 runZero, Inc. All Rights Reserved

Discover the new era of exposure management!

Read our Launch Blog