A critical vulnerability in SAP NetWeaver Visual Composer, identified as CVE-2025-31324 with a severity score of 10, allows unauthorized file uploads and execution of malicious files. Initially suspected as a remote file inclusion issue, it was confirmed to be an unrestricted file upload vulnerability. Attackers exploited this vulnerability to upload JSP webshells, gaining remote control and executing arbitrary commands. The exploitation involved abusing the /developmentserver/metadatauploader endpoint. Attackers used sophisticated tools like Brute Ratel and the Heaven's Gate technique for command-and-control and evasion. SAP released a patch to address this vulnerability, which is strongly recommended to be applied immediately.