cbcvebase.
CVE-2025-31324
published 2025-04-24

CVE-2025-31324: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-05-20
Exploited in the wild
EPSS
99.36%
99.9th percentile
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Affected

2 ranges
VendorProductVersion rangeFixed in
sapnetweaver
sap_sesap_netweaver

Detection & IOCsextracted from sources · hover to see the quote

filenamecache.jsp
filenamehelper.jsp
otherRule 1012351 - SAP NetWeaver Visual Composer Unrestricted File Upload Vulnerability (CVE-2025-31324)
otherFilter 41642 - HTTP: Generic JSP Command Execution Webshell Payload Detected
  • Monitor and restrict access to the /developmentserver/metadatauploader endpoint; unauthenticated POST requests to this path are the primary attack vector for CVE-2025-31324.
  • Hunt for web shells dropped in the SAP NetWeaver servlet path; known names include cache.jsp and helper.jsp, but threat actors also use random names.
  • Forward SAP NetWeaver logs to SIEM and scan for unauthorized files in the servlet path as a detection measure.
  • Uploaded web shells were used to deploy malware and establish C2 communications; correlate unexpected file uploads or command execution on SAP servers as high-fidelity alerts.
  • Multiple APT and ransomware groups have been observed actively exploiting CVE-2025-31324; treat any exploitation of this endpoint as a high-severity incident.
  • ·Visual Composer is not always required; disabling it entirely removes the attack surface if the component is not in use.
  • ·CVE-2025-42999 (deserialization) is a related underlying vulnerability that was not addressed by the CVE-2025-31324 patch; both SAP security notes (#3594142 and #3604119) must be applied for full protection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.