Threat Insight

CVE-2025-31324: Critical SAP NetWeaver Vulnerability Actively Exploited

SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, has recently been patched with the release of SAP Security Note 3594142.

The flaw allows unauthenticated remote attackers to execute malicious code on vulnerable systems through a file upload mechanism which fails to properly validate that users have the appropriate permissions before allowing file uploads.

2025-05-05
Insight

image of a hacker in a hoodie sitting infront of multiple computers

If a malicious actor were to successfully exploit this, it could result in them achieving: – Unauthorized access to sensitive business data – Ability to modify critical business processes – Ability to disrupt availability of essential SAP services – Persistence within the network – Ability to pivot to other systems within the infrastructure

CVE

CVE-2025-31324

Affected Products

VCFRAMEWORK Version 7.50

Exploitation

Actively exploited in the wild[1]. This CVE is in CISA’s Known Exploited Vulnerabilities Catalog [2]

Recommended Actions

Update SAP NetWeaver to the latest version. If that is not possible, please follow these steps to mitigate the vulnerability: – Restrict Access: Until patches can be applied, restrict access to the Metadata Uploader component. – Review External Exposure: Ensure only authenticated users have upload permissions to SAP components. – Implement Workaround: For organizations unable to patch immediately, SAP has provided a temporary workaround based on the scenario from KBA 3593336. Furthermore, follow the steps in the “Detection” segment to see if your instance is vulnerable, and what indicators to look for.

Detection

How to check if you are vulnerable: Test if the following URL is accessible without authentication: https://[your-sap-server]/developmentserver/metadatauploader If you can access this page without being prompted for credentials, your system is vulnerable[1]. For further investigation: – Look for unauthorized access attempts to the /developmentserver/metadatauploader path – Check for unexpected file uploads in web server logs – Search for unusual execution patterns or suspicious processes on your SAP server – Monitor for unauthorized outbound connections from your SAP systems If you detect any of these indicators, assume your system may be compromised and initiate your incident response procedures immediately[1].

References

[1] https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324-fixed-actively-exploited-in-the-wild/
[2] https://www.cisa.gov/known-exploited-vulnerabilities-catalog