Unauthorized Metadata Upload Vulnerability in SAP NetWeaver Visual Composer by SAP
CVE-2025-31324

9.8CRITICAL

Key Information:

Vendor: SAP
Status: SAP Netweaver (visual Composer Development Server)
Vendor: CVE Published:; 24 April 2025

Badges

🥇 Trended No. 1📈 Trended📈 Score: 26,300💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 78%🦅 CISA Reported📰 News Worthy

What is CVE-2025-31324?

CVE-2025-31324 is a critical vulnerability identified in SAP NetWeaver's Visual Composer component, which is widely used by organizations to develop applications without extensive coding. This vulnerability stems from a lack of proper authorization checks in the Metadata Uploader feature, specifically accessible through the /developmentserver/metadatauploader endpoint. As a result, unauthenticated individuals can exploit this weakness to upload arbitrary and potentially malicious files to the server, which can lead to severe consequences such as remote code execution and complete system compromise. Given that many businesses rely on SAP NetWeaver for critical operations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their systems.

The exploitation process involves sending specially crafted HTTP requests to the vulnerable endpoint, enabling attackers to upload files, including web shells, which allow them to execute commands on the server with administrative privileges. This scenario compromises not only the SAP environment but also any sensitive data contained within it, making timely remediation essential.

Potential impact of CVE-2025-31324

Unauthorized Remote Code Execution: Attackers can exploit this vulnerability to execute unauthorized commands on the SAP NetWeaver server, enabling them to take full control of the affected systems. This action can lead to data theft, unauthorized data manipulation, and further penetration into the organization's network.
Increased Risk of Data Breaches: With the ability to upload malicious files, attackers can facilitate data breaches that may expose sensitive company and customer information. Such incidents can have compliance repercussions and damage the organization’s reputation.
System Downtime and Operational Disruption: The successful exploitation of this vulnerability can lead to prolonged system downtimes due to malware deployment, remediation efforts, and potential recovery processes. This disruption can affect business operations and lead to significant financial losses.

CISA has reported CVE-2025-31324

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-31324 as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

SAP NetWeaver (Visual Composer development server) VCFRAMEWORK 7.50

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

sap_netweaver_cve-2025-31324-
Created by rf-peixoto

Onapsis-Mandiant-CVE-2025-31324-Vuln-Compromise-Assessment
Created by Onapsis

CVE-2025-31324-File-Upload
Created by nullcult

News Articles

Techzine Europe

CVE-2025-31324

Ransomware groups join attacks on SAP NetWeaver

Administrators are strongly advised to update their SAP NetWeaver servers quickly or disable the Visual Composer component.

4 days ago

CVE-2025-31324

Critical SAP NetWeaver Vuln Faces Barrage of Cyberattacks

As threat actors continue to hop on the train of exploiting CVE-2025-31324, researchers are recommending that SAP administrators patch as soon as possible so that they don't fall victim next.

1 week ago