Cybersecurity Forecast 2026: What to Expect – New Report
Get a Demo

Vulnerabilities

CVE-2025-31324

From Upload to Takeover: Decoding SAP NetWeaver CVE-2025-31324

Vulnerability Overview

CVE ID: CVE-2025-31324

CVE Title: SAP NetWeaver Visual Composer Metadata Uploader unrestricted file upload leading to remote code execution

Severity: Critical

Exploit Status: Actively exploited with public exploits, scanners, and listed in CISA’s KEV catalog.

Business Risk: Full host takeover, data theft, credential exposure, persistent backdoors, and ransomware risk.

Compliance Impact: May cause compliance failures under NIS2 or Sarbanes-Oxley for affected organizations.

Summary

CVE-2025-31324 affects the Metadata Uploader component of SAP NetWeaver Visual Composer. The component accepts uploads without proper authorization, allowing an unauthenticated actor to place executable web files into SAP web paths. Attackers have used this to deploy web shells and obtain remote command execution in the SAP process context, frequently resulting in full system takeover.

Urgent Actions Required

  • Apply SAP Security Notes 3594142 and 3604119 (patch).
  • If patching is not possible, follow SAP Note 3593336 (temporary workaround).
  • Restrict access to /developmentserver/metadatauploader.
  • Disable or uninstall Visual Composer (VCFRAMEWORK) if not used.

Which Systems Are Vulnerable to CVE-2025-31324?

Technical Overview

  • Vulnerability Type: Unrestricted file upload due to a missing authorization checks in the Visual Composer Metadata Uploader. Classified as CWE-434.
  • Affected Software/Versions:
    • SAP NetWeaver Java systems with the Visual Composer component (VCFRAMEWORK).
    • Specifically referenced: NetWeaver 7.50 and other 7.1x+ Java systems where Visual Composer is present.
    • Affected component path: devserver_metadataupload_ear / Metadata Uploader.
  • Attack Vector: Network (HTTP/HTTPS requests to the metadata uploader endpoint)
  • CVSS Score: 10
  • CVSS Vector: CVSS: 3.1
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
  • Patch Availability: Yes, available [1] [2]

How Does the CVE-2025-31324 Exploit Work?

The attack typically follows these steps:

CVE-2025-31324 Exploitation Process

What Causes CVE-2025-31324?

Vulnerability Root Cause:

The metadata uploader in SAP NetWeaver Visual Composer does not enforce proper authorization. An unauthenticated client can send upload requests, and the component accepts and writes those files into web-accessible servlet paths. The uploader also fails to validate how uploaded model binaries are processed. In some observed attacks, unsafe processing of uploaded content (including Java deserialization behaviors described in the incident response research) allowed execution of attacker-supplied code. SAP addressed the missing authorization check and later released a fix that removes the deserialization-based residual risk.

How Can You Mitigate CVE-2025-31324?

If immediate patching is delayed or not possible:

  • Restrict network access to /developmentserver/metadatauploader.
  • Remove or undeploy the devserver_metadataupload_ear application (SAP Option 0) where feasible.
  • Disable or uninstall Visual Composer (VCFRAMEWORK) if it is not required.
  • Apply the workaround options in SAP Note 3593336 when patching is delayed.
  • Note that SAP deprecated some earlier workarounds and recommends Option 0 for unpatchable systems.
  • Forward SAP HTTP access logs to your SIEM for review.
  • Search servlet paths for unexpected .jsp, .java, or .class files in irj/servlet_jsp/irj/root, work, and work/sync.
  • Look in logs for POST /developmentserver/metadatauploader and for subsequent GET requests to uploaded JSPs such as helper.jsp or cache.jsp.
  • Run the Onapsis + Mandiant compromise assessment tool referenced in your materials.
  • Use Onapsis, Unit42 YARA rules, and IOCs to hunt webshells.
  • Block or monitor IP addresses and domains listed by responders in the references.

Which Assets and Systems Are at Risk?

Asset Types Affected:

  • SAP NetWeaver Visual Composer Metadata Uploader (version 7.50).
  • Development server endpoint /developmentserver/metadatauploader.
  • Servlet paths where malicious JSP files can be uploaded and executed.

Business-Critical Systems at Risk:

  • SAP systems using NetWeaver Visual Composer.
  • Core SAP applications and business data running on affected NetWeaver servers.

Exposure Level:

  • Internet-facing SAP NetWeaver instances with Visual Composer enabled.
  • Internal systems with Visual Composer accessible to attackers.

Will Patching CVE-2025-31324 Cause Downtime?

Patch application impact: Low. Updating SAP NetWeaver Visual Composer can be done with limited downtime if planned.  

Mitigation (if immediate patching is not possible): Restrict access to /developmentserver/metadatauploader. Disable Visual Composer if not needed. Forward logs to SIEM and scan servlet paths for suspicious files. These steps reduce but do not remove risk.

How Can You Detect CVE-2025-31324 Exploitation?

Exploitation Signatures:

  • Look for usage of the SAP Visual Composer Metadata Uploader in unexpected ways.
  • Monitor for attempts to upload crafted metadata files that could trigger remote code execution.

Behavioral Indicators:

  • Unexpected execution of scripts or processes via Visual Composer uploads.
  • Abnormal system behavior after metadata uploads, such as unauthorized code execution.

Alerting Strategy:

  • Priority: Critical
  • Trigger alerts for suspicious uploads through the Visual Composer Metadata Uploader.

Remediation & Response

Patch/Upgrade Instructions:

    1. Apply SAP Security Note 3594142[1]
    2. Apply SAP Security Note 3604119[2]

Remediation Timeline:

  • Immediate: Apply the security notes to affected systems. Minimal downtime expected; system restart may be required depending on the SAP environment.

Rollback Plan:

If issues occur after applying the notes, revert changes according to your SAP change-management procedures.

Mitigation Steps if No Patch:

  • Monitor systems for unauthorized uploads via the Visual Composer Metadata Uploader.
  • Review logs to check if remote code execution attempts occurred.

Where Can I Find More Information on CVE-2025-31324?

  1. ^SAP Security Patch Day – April 2025
  2. ^SAP Security Patch Day – May 2025
  3. ^NVD – CVE-2025-31324
  4. ^Public Exploit for Chained SAP Flaws Exposes Unpatched Systems to Remote Code Execution

CVSS Breakdown Table

MetricValue Description
Base Score10Critical severity vulnerability with maximum impact and exploitability
Attack VectorNetworkExploitable remotely via Visual Composer Metadata Uploader
Attack ComplexityLowExploit does not require special conditions
Privileges RequiredNoneNo authentication or elevated privileges needed
User Interaction NoneNo user action required
Scope Changed Exploitation affects components beyond the vulnerable SAP NetWeaver module
Confidentiality Impact HighExploit can expose sensitive system data
Integrity ImpactHighExploit allows unauthorized modification or execution
Availability ImpactHighExploit can cause full system disruption or denial of service

Stop threats before they spread with Fidelis Network

Download the Whitepaper

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo