A new, serious security flaw has been found in SAP NetWeaver — one of the world’s most widely used business software platforms. Hackers are already exploiting it to break into company systems, even if those systems are fully updated with the latest patches.

Security experts at ReliaQuest discovered the issue earlier this month, after spotting a wave of cyberattacks. In these incidents, hackers were able to sneak malicious files called "webshells" into SAP servers, giving them full remote control over the systems. Alarmingly, this vulnerability hadn’t been reported before, meaning companies had no way to defend against it — what’s known as a "zero-day" flaw.

How Hackers Broke In

The attacks target a specific part of SAP NetWeaver called the metadata uploader, a tool usually meant for helping developers manage files. Hackers found a way to trick this tool into uploading their own files instead — a type of flaw known as Remote File Inclusion (RFI).

Once inside, attackers installed lightweight webshells named helper.jsp and cache.jsp. These programs allowed them to run any command they wanted on the server just by sending simple web requests, like visiting a hidden webpage. From there, they could steal data, install more malware, or cause other serious damage.

The webshells used in the attacks were based on freely available code, making them easy for hackers to deploy and hard for defenders to spot.

What Hackers Did Next

Once they had access, hackers escalated their attack by bringing in a dangerous hacking tool called Brute Ratel. It’s a commercial program designed to control infected computers, steal passwords, and move deeper into networks — all while staying hidden from security software.

The attackers cleverly wrote code to a simple text file, moved it into a Windows system folder, and then built it into a working program using a built-in Microsoft tool. They then used Brute Ratel to inject hidden malware into the computer's memory, avoiding detection.

Hackers also used a sneaky method called Heaven’s Gate, which tricks the system by switching between 32-bit and 64-bit operations, making it even harder for security tools to catch them.

Why This Matters

This vulnerability is especially worrying because it affects SAP NetWeaver — a platform critical to many major companies and government agencies. Even fully updated systems were successfully hacked, suggesting that this is either a brand-new flaw or a twist on an older one.

There’s also a possibility that initial access brokers — hackers who break in and then sell access to others — are involved. While no evidence of sales has been found yet, SAP NetWeaver is often discussed in underground forums, so the risk is very real.

What Companies Should Do Now

Security experts urge organizations using SAP NetWeaver to act immediately:

  • Turn off the Visual Composer tool and the development server feature if they are not essential.

  • Block access to the vulnerable metadata uploader with strict firewall rules.

  • Closely monitor server logs for unusual file uploads, especially in certain SAP directories.

  • Scan for known webshells, particularly helper.jsp and cache.jsp.

This incident highlights how vulnerable even critical business systems can be to zero-day attacks. Companies are strongly encouraged to tighten their defenses, apply all possible security measures, and stay alert for signs of intrusions while experts continue to investigate the full extent of the issue.

Published inNews

Follow us

Contact us

Inter-Consulting Europe (UK) Ltd

First Floor, 239 High Street Kensington, W8 6SN, London

Company Reg England & Wales No. 4787966

We use cookies to provide you with the best possible browsing experience on our website. You can find out more below.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
+Necessary
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
ResolutionUsed to ensure the correct version of the site is displayed to your device.
essential
SessionUsed to track your user session on our website.
essential

More Details