CVE-2025-31324
CVE-2025-31324 is a critical-severity vulnerability in Sap Netweaver with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-04-29). The underlying weakness is classified as CWE-434.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-04-29)
- EU (EUVD) id: EUVD-2025-11987
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-04-29)
- Weakness: CWE-434
- Affected product: Sap Netweaver
- Published:
- Last modified:
Description
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
CVE-2025-31324: SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated File Upload (CVSS 10)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-31324 |
| CVSS v3.1 | 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |
| EPSS | 0.99359 (99.93rd percentile) |
| KEV | Yes (since 2025-04-29) |
| CWE | CWE-434: Unrestricted Upload of File with Dangerous Type |
| Published | 2025-04-24 |
| Vendor | SAP |
Summary
A critical authorization flaw exists in the SAP NetWeaver Visual Composer Metadata Uploader. Because the endpoint does not enforce authentication, remote attackers can upload potentially malicious executable binaries without credentials, leading to full compromise of the host system.
Background
SAP NetWeaver is a widely deployed application platform that serves as the technical foundation for SAP Business Suite and other SAP solutions. The Visual Composer component provides a metadata-driven design environment. The Metadata Uploader functionality within Visual Composer is intended to import metadata artifacts, but in affected releases it is exposed without adequate access controls.
Root Cause
The vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. The Metadata Uploader endpoint fails to verify that the requester is authenticated and authorized before accepting file uploads. Consequently, any network-reachable actor can submit files, including executable binaries, to the server. The application also does not appear to adequately validate or restrict uploaded file types, allowing dangerous content to be placed in contexts where it can be processed or executed by the host.
Impact
With a CVSS 3.1 score of 10.0 (Critical), this vulnerability is among the most severe. The vector string AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H indicates that it is:
- Network exploitable with low attack complexity
- No privileges or user interaction required
- Scope changed, meaning the vulnerable component can impact resources beyond its own security scope
- High impact on Confidentiality, Integrity, and Availability
Successful exploitation can result in complete system compromise, data exfiltration, malware deployment, and disruption of business-critical SAP services.
Exploitation Walkthrough
Ethics Notice: This section is intended for defensive awareness and detection engineering only. Do not attempt to exploit systems you do not own or have explicit permission to test.
An attacker who can reach the SAP NetWeaver Visual Composer Metadata Uploader over the network can issue an unauthenticated upload request. Because the endpoint lacks authorization checks, the server accepts the payload and writes it to a location accessible to the application or underlying host. If the uploaded file is an executable or contains executable content, the attacker may then be able to trigger its execution through application logic, scheduled tasks, or direct invocation, depending on server configuration. Defenders should assume that any NetWeaver 7.50 instance with an exposed Visual Composer Metadata Uploader is at high risk of compromise if unpatched.
Affected and Patched Versions
- Affected: SAP NetWeaver 7.50 (
cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*) - Patched: SAP has released security updates. Refer to SAP Note 3594142 and the SAP Security Patch Day guidance for specific patch levels and support package information.
Remediation
- Apply SAP patches immediately. Prioritize systems running NetWeaver 7.50 and follow SAP Note 3594142.
- Restrict network access. Limit exposure of SAP NetWeaver administration and development interfaces, including Visual Composer endpoints, to trusted administrative hosts or jump boxes.
- Implement compensating controls. If patching is delayed, consider network-level segmentation, reverse-proxy rules, or Web Application Firewall (WAF) policies to block unauthenticated upload requests to the Metadata Uploader path.
- Validate file uploads. Ensure that any upload endpoints enforce strict file-type validation, restrict executable content, and store uploads outside web-accessible directories.
Detection
- Monitor HTTP access logs for
POSTrequests to the Visual Composer Metadata Uploader endpoint from unexpected source IPs. - Alert on uploaded files with executable extensions or MIME types in directories used by Visual Composer.
- Correlate host-level telemetry (process creation, file integrity monitoring) with web upload events to identify potential follow-on execution.
- Hunt for anomalous outbound connections from SAP application servers that may indicate successful compromise.
Assessment
This vulnerability is exceptionally dangerous. An EPSS score of 0.99359 places it in the top tier of observed vulnerabilities by exploitation likelihood, and its inclusion in both the CISA KEV catalog and the EU exploited vulnerabilities database (since 2025-04-29) confirms that it is under active, in-the-wild exploitation. The combination of unauthenticated network access and unrestricted file upload creates a trivial path to remote code execution.
Key lessons:
- Upload endpoints must always require strong authentication and authorization.
- File upload functionality should enforce strict content validation and avoid writing user-supplied data to executable or web-servable paths.
References
- https://me.sap.com/notes/3594142
- https://url.sap/sapsecuritypatchday
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
- https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
- https://www.theregister.com/2025/04/25/sap_netweaver_patch/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324
Frequently asked questions
- What is CVE-2025-31324?
- SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
- How severe is CVE-2025-31324?
- CVE-2025-31324 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-31324 being actively exploited?
- Yes. CVE-2025-31324 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-04-29, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-31324?
- CVE-2025-31324 affects Sap Netweaver. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-31324?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-31324 have an EU (EUVD) identifier?
- Yes. CVE-2025-31324 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-11987. It is also flagged as exploited in the EUVD (since 2025-04-29).
- When was CVE-2025-31324 published?
- CVE-2025-31324 was published on 2025-04-24 and last updated on 2026-06-17.
References
- https://me.sap.com/notes/3594142
- https://url.sap/sapsecuritypatchday
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
- https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
- https://www.theregister.com/2025/04/25/sap_netweaver_patch/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324
Affected products (1)
- cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*
More vulnerabilities in Sap Netweaver
- CVE-2013-6822 — Critical (CVSS 10.0): GRMGApp in SAP NetWeaver allows remote attackers to have unspecified impact and attack vectors, related to an XML…
- CVE-2021-38163 — Critical (CVSS 9.9): SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker…
- CVE-2011-1517 — Critical (CVSS 9.8): SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function.…
- CVE-2013-1592 — Critical (CVSS 9.8): A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending…
- CVE-2015-7241 — Critical (CVSS 9.8): XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
- CVE-2016-10311 — Critical (CVSS 9.8): Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service () by…
All CVEs affecting Sap Netweaver →
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- CVE-2026-40412 — Critical (CVSS 10.0): Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →