A new, serious security flaw has been found in SAP NetWeaver — one of the world’s most widely used business software platforms. Hackers are already exploiting it to break into company systems, even if those systems are fully updated with the latest patches.
Security experts at ReliaQuest discovered the issue earlier this month, after spotting a wave of cyberattacks. In these incidents, hackers were able to sneak malicious files called "webshells" into SAP servers, giving them full remote control over the systems. Alarmingly, this vulnerability hadn’t been reported before, meaning companies had no way to defend against it — what’s known as a "zero-day" flaw.
How Hackers Broke In
The attacks target a specific part of SAP NetWeaver called the metadata uploader, a tool usually meant for helping developers manage files. Hackers found a way to trick this tool into uploading their own files instead — a type of flaw known as Remote File Inclusion (RFI).
Once inside, attackers installed lightweight webshells named helper.jsp and cache.jsp. These programs allowed them to run any command they wanted on the server just by sending simple web requests, like visiting a hidden webpage. From there, they could steal data, install more malware, or cause other serious damage.
The webshells used in the attacks were based on freely available code, making them easy for hackers to deploy and hard for defenders to spot.
What Hackers Did Next
Once they had access, hackers escalated their attack by bringing in a dangerous hacking tool called Brute Ratel. It’s a commercial program designed to control infected computers, steal passwords, and move deeper into networks — all while staying hidden from security software.
The attackers cleverly wrote code to a simple text file, moved it into a Windows system folder, and then built it into a working program using a built-in Microsoft tool. They then used Brute Ratel to inject hidden malware into the computer's memory, avoiding detection.
Hackers also used a sneaky method called Heaven’s Gate, which tricks the system by switching between 32-bit and 64-bit operations, making it even harder for security tools to catch them.
Why This Matters
This vulnerability is especially worrying because it affects SAP NetWeaver — a platform critical to many major companies and government agencies. Even fully updated systems were successfully hacked, suggesting that this is either a brand-new flaw or a twist on an older one.
There’s also a possibility that initial access brokers — hackers who break in and then sell access to others — are involved. While no evidence of sales has been found yet, SAP NetWeaver is often discussed in underground forums, so the risk is very real.
What Companies Should Do Now
Security experts urge organizations using SAP NetWeaver to act immediately:
Turn off the Visual Composer tool and the development server feature if they are not essential.
Block access to the vulnerable metadata uploader with strict firewall rules.
Closely monitor server logs for unusual file uploads, especially in certain SAP directories.
Scan for known webshells, particularly helper.jsp and cache.jsp.
This incident highlights how vulnerable even critical business systems can be to zero-day attacks. Companies are strongly encouraged to tighten their defenses, apply all possible security measures, and stay alert for signs of intrusions while experts continue to investigate the full extent of the issue.
