CVE-2025-31324

CVE-2025-31324 is a critical-severity vulnerability in Sap Netweaver with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-04-29). The underlying weakness is classified as CWE-434.

Key facts

Description

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

CVE-2025-31324: SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated File Upload (CVSS 10)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2025-31324
CVSS v3.1 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
EPSS 0.99359 (99.93rd percentile)
KEV Yes (since 2025-04-29)
CWE CWE-434: Unrestricted Upload of File with Dangerous Type
Published 2025-04-24
Vendor SAP

Summary

A critical authorization flaw exists in the SAP NetWeaver Visual Composer Metadata Uploader. Because the endpoint does not enforce authentication, remote attackers can upload potentially malicious executable binaries without credentials, leading to full compromise of the host system.

Background

SAP NetWeaver is a widely deployed application platform that serves as the technical foundation for SAP Business Suite and other SAP solutions. The Visual Composer component provides a metadata-driven design environment. The Metadata Uploader functionality within Visual Composer is intended to import metadata artifacts, but in affected releases it is exposed without adequate access controls.

Root Cause

The vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. The Metadata Uploader endpoint fails to verify that the requester is authenticated and authorized before accepting file uploads. Consequently, any network-reachable actor can submit files, including executable binaries, to the server. The application also does not appear to adequately validate or restrict uploaded file types, allowing dangerous content to be placed in contexts where it can be processed or executed by the host.

Impact

With a CVSS 3.1 score of 10.0 (Critical), this vulnerability is among the most severe. The vector string AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H indicates that it is:

  • Network exploitable with low attack complexity
  • No privileges or user interaction required
  • Scope changed, meaning the vulnerable component can impact resources beyond its own security scope
  • High impact on Confidentiality, Integrity, and Availability

Successful exploitation can result in complete system compromise, data exfiltration, malware deployment, and disruption of business-critical SAP services.

Exploitation Walkthrough

Ethics Notice: This section is intended for defensive awareness and detection engineering only. Do not attempt to exploit systems you do not own or have explicit permission to test.

An attacker who can reach the SAP NetWeaver Visual Composer Metadata Uploader over the network can issue an unauthenticated upload request. Because the endpoint lacks authorization checks, the server accepts the payload and writes it to a location accessible to the application or underlying host. If the uploaded file is an executable or contains executable content, the attacker may then be able to trigger its execution through application logic, scheduled tasks, or direct invocation, depending on server configuration. Defenders should assume that any NetWeaver 7.50 instance with an exposed Visual Composer Metadata Uploader is at high risk of compromise if unpatched.

Affected and Patched Versions

  • Affected: SAP NetWeaver 7.50 (cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*)
  • Patched: SAP has released security updates. Refer to SAP Note 3594142 and the SAP Security Patch Day guidance for specific patch levels and support package information.

Remediation

  1. Apply SAP patches immediately. Prioritize systems running NetWeaver 7.50 and follow SAP Note 3594142.
  2. Restrict network access. Limit exposure of SAP NetWeaver administration and development interfaces, including Visual Composer endpoints, to trusted administrative hosts or jump boxes.
  3. Implement compensating controls. If patching is delayed, consider network-level segmentation, reverse-proxy rules, or Web Application Firewall (WAF) policies to block unauthenticated upload requests to the Metadata Uploader path.
  4. Validate file uploads. Ensure that any upload endpoints enforce strict file-type validation, restrict executable content, and store uploads outside web-accessible directories.

Detection

  • Monitor HTTP access logs for POST requests to the Visual Composer Metadata Uploader endpoint from unexpected source IPs.
  • Alert on uploaded files with executable extensions or MIME types in directories used by Visual Composer.
  • Correlate host-level telemetry (process creation, file integrity monitoring) with web upload events to identify potential follow-on execution.
  • Hunt for anomalous outbound connections from SAP application servers that may indicate successful compromise.

Assessment

This vulnerability is exceptionally dangerous. An EPSS score of 0.99359 places it in the top tier of observed vulnerabilities by exploitation likelihood, and its inclusion in both the CISA KEV catalog and the EU exploited vulnerabilities database (since 2025-04-29) confirms that it is under active, in-the-wild exploitation. The combination of unauthenticated network access and unrestricted file upload creates a trivial path to remote code execution.

Key lessons:

  • Upload endpoints must always require strong authentication and authorization.
  • File upload functionality should enforce strict content validation and avoid writing user-supplied data to executable or web-servable paths.

References

Frequently asked questions

What is CVE-2025-31324?
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
How severe is CVE-2025-31324?
CVE-2025-31324 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2025-31324 being actively exploited?
Yes. CVE-2025-31324 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-04-29, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2025-31324?
CVE-2025-31324 affects Sap Netweaver. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-31324?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2025-31324 have an EU (EUVD) identifier?
Yes. CVE-2025-31324 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-11987. It is also flagged as exploited in the EUVD (since 2025-04-29).
When was CVE-2025-31324 published?
CVE-2025-31324 was published on 2025-04-24 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Sap Netweaver

All CVEs affecting Sap Netweaver →

Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities

Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →