SAP NetWeaver Zero-Day (CVE-2026-2030): Unauthenticated RCE Under Active Exploitation
SAP released an emergency patch for CVE-2026-2030, a critical unauthenticated remote code execution vulnerability in SAP NetWeaver Application Server Java. CVSS score 10.0. Attackers are actively deploying webshells on unpatched systems.
Vulnerability Details
SAP released an out-of-band security note (SAP Note 3594142) on April 22, 2026, addressing CVE-2026-2030, a critical unauthenticated remote code execution vulnerability in SAP NetWeaver Application Server Java. The vulnerability exists in the Visual Composer Metadata Uploader component and allows an unauthenticated attacker to upload arbitrary files to the SAP server, including executable code. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 — the maximum possible score — reflecting the fact that it requires no authentication, no user interaction, and provides complete system compromise. Mandiant confirmed active exploitation within 24 hours of the advisory's publication.
Active Exploitation: Webshell Deployment
Mandiant's incident response team has responded to multiple confirmed compromises of SAP NetWeaver systems exploiting CVE-2026-2030. In each case, attackers used the vulnerability to upload a webshell — a malicious script that provides persistent remote access to the server — to the SAP system. The webshells were placed in publicly accessible directories, allowing attackers to execute commands on the SAP server through a web browser. From the SAP server, attackers have been observed accessing connected databases, exfiltrating business data including financial records and customer information, and attempting to move laterally to other systems on the network. SAP systems often contain some of the most sensitive business data in an organization, making this a particularly high-impact vulnerability.
Who Is Affected
CVE-2026-2030 affects SAP NetWeaver Application Server Java versions 7.50, 7.53, and 7.54. Organizations running SAP ERP, SAP S/4HANA with Java stack components, SAP Enterprise Portal, or other SAP products built on the NetWeaver Java platform may be affected. If your organization uses SAP and you are unsure whether you are running an affected version, contact your SAP Basis administrator or SAP support immediately. Given the severity of this vulnerability and the active exploitation, this should be treated as an emergency.
Immediate Remediation Steps
Apply SAP Note 3594142 immediately — this is the official patch from SAP. If you cannot apply the patch immediately, implement the workaround described in the SAP note, which involves disabling the Visual Composer Metadata Uploader service. After patching, scan your SAP system for webshells by checking for recently created or modified files in the SAP web application directories. Review your SAP system logs for unusual HTTP POST requests to the metadata uploader endpoint, particularly from external IP addresses. If you find evidence of compromise, engage a qualified incident response team immediately — do not attempt to clean up a compromised SAP system without expert assistance.
- Apply SAP's emergency patch immediately — CVSS 10.0 means maximum severity
- If patching is not immediately possible, restrict access to the SAP NetWeaver AS Java management interface
- Scan your SAP systems for webshells — attackers are deploying them within hours of gaining access
- Review SAP system logs for unauthorized file uploads or unusual HTTP requests to the metadata uploader endpoint
- Engage your SAP Basis team or a qualified SAP security partner immediately
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.