More than six thousand servers across Mexico are at risk of being hacked, opening the door for attackers to take control of critical systems, steal confidential information, or even shut down key operations of the government and private companies. According to TPX Security, this security flaw is no small issue: it threatens strategic sectors such as oil, housing, and essential services, directly impacting institutions like Pemex and Conavi.
This goes far beyond a simple technical mistake. We're talking about a serious exposure that could impact the country's economy and overall stability. Now more than ever, strengthening cybersecurity isn't optional — it's urgent.
A vulnerability, identified as CVE-2025-31324, was recently discovered affecting SAP NetWeaver Visual Composer, a technology widely used by governments and large companies to manage their internal systems.
So, what does all this mean? It means attackers don’t need passwords or special access: they can upload malicious files directly onto vulnerable servers, take full control, and steal or destroy any information they find.
Beyond government and private company servers, the problem reaches a much more serious level: key institutions like Pemex and Conavi are also among the vulnerable systems.
The energy sector could be severely impacted, putting at risk the systems that manage the entire process of oil and gas supply, production, and distribution. In the housing sector, the damage could halt essential services like applications, registrations, and databases related to social housing programs and urban development.
A breach at Pemex, for example, wouldn’t just mean losing important internal documents; it could also disrupt strategic operations vital to the country's economy, especially if critical systems are compromised.
Read more: Massive Outage in Europe: Cyber Attack Suspected in Spain and France
If this vulnerability isn’t fixed soon, the consequences could be very serious. We’re talking about the real possibility of attackers gaining access to confidential government databases that store sensitive citizen information, official contracts, and strategic records.
Critical information is also at risk — financial documents, internal plans, and key agreements — which, if they fall into the wrong hands, could be used for extortion or sold on illegal markets. But it’s not just about stealing information: there’s also the danger of entire operations coming to a halt, affecting everything from basic services to large-scale economic activities.
One of the most alarming scenarios is a ransomware attack, where hackers lock down systems and demand payment to restore access. The worst part? All of this could happen quietly, without anyone realizing until it’s too late to prevent major damage.
To reduce the risks, experts recommend acting immediately and without delay:
Install SAP’s security update released in Note #3594142 as soon as possible.
Restrict access to vulnerable parts of the system, so outsiders can’t try to break in.
Closely monitor any unusual activity on the servers and strengthen security controls to detect any suspicious movements before it’s too late.
Read more: Alert in Mexico: Virus Redirects to Fake SAT and Bank Sites
The report shows that we’re not just dealing with a few isolated cases. There are more than 6,726 vulnerable servers across Mexico, and they aren’t concentrated in a single location. The most affected areas are Mexico City, the State of Mexico, Nuevo León, Jalisco, and Morelos.
This widespread distribution is concerning because it doesn’t just impact major economic zones — it also reaches strategic regions, increasing the risk that a cyberattack could have a nationwide effect.
Put simply: this flaw in SAP leaves the door wide open for any attacker to:
Get in without needing a username or password.
Install viruses or malicious programs.
Steal sensitive information.
Disrupt the normal functioning of systems.
And in the worst-case scenario, they could even shut down critical services, like citizen service platforms, housing systems, energy operations, or national security databases — all without anyone noticing... until it’s far too late.
It’s now confirmed: many SAP NetWeaver servers are fully exposed online, making them an easy target for attackers. A recent analysis found 427 exposed servers, warning about the massive attack surface and the huge risk if someone decides to exploit these vulnerabilities.
Most of the vulnerable systems are located in the United States (149), followed by India (50), Australia (37), China (31), Germany (30), the Netherlands (13), Brazil (10), and France (10). And that's not all. Newer data shows the problem is even worse: at least 1,284 vulnerable servers are currently online, and 474 of them may have already been compromised using malicious tools known as webshells.
What’s even more alarming is that about 20 companies listed in the Fortune 500 and Global 500 rankings are among the affected — meaning large multinational corporations handling critical operations worldwide.
Attackers often hide their backdoors using files named things like "cache.jsp" or "helper.jsp," but sometimes they use completely random names, making it much harder to detect compromised servers.
Even though the total number of vulnerable servers might not seem massive at first glance, the risk is extremely high: many of these exposed machines belong to major companies where any breach could have devastating consequences.
Location of Vulnerable SAP NetWeaver Instances (Source: The Shadowserver Foundation)