⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.. Due date: 2025-05-20.

CVE-2025-31324Unrestricted File Upload in SE SAP Netweaver

CWE-434Unrestricted File Upload23 documents11 sources
Severity
9.8CRITICALNVD
CNA10.0VulnCheck10.0
EPSS
34.1%
top 3.02%
CISA KEV
KEVRansomware
Added 2025-04-29
Due 2025-05-20
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
SAP SE SAP NetweaverSAP Netweaver
Timeline
PublishedApr 24
KEV addedApr 29
KEV dueMay 20
Latest updateAug 25
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDsap/netweaver7.50
CVEListV5sap_se/sap_netweaverVCFRAMEWORK 7.50

🔴Vulnerability Details

3
GHSA
GHSA-7w9p-pr7x-mjw2: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially mal2025-04-24
CVEList
Missing Authorization check in SAP NetWeaver (Visual Composer development server)2025-04-24
VulnCheck
SAP NetWeaver Unrestricted File Upload Vulnerability2025

💥Exploits & PoCs

1
Nuclei
SAP NetWeaver Visual Composer Metadata Uploader - Deserialization

🔍Detection Rules

3
Suricata
ET HUNTING SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated Arbitrary Command Execution (CVE-2025-31324)2025-08-25
Suricata
ET EXPLOIT SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated JSP File Upload (CVE-2025-31324)2025-08-25
Suricata
ET WEB_SPECIFIC_APPS SAP Netweaver Unauthenticated File Upload Attempt (JSP Webshell) (CVE-2025-31324)2025-04-28

📋Vendor Advisories

1
CISA
SAP NetWeaver Unrestricted File Upload Vulnerability2025-04-29

🕵️Threat Intelligence

12
Bleepingcomputer
Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware2025-07-29
Trendmicro
Critical SAP Vulnerability Exposes Enterprises2025-06-12
Trendmicro
Critical SAP Vulnerability Exposes Enterprises2025-06-12
Trendmicro
Critical SAP Vulnerability Exposes Enterprises2025-06-12
Trendmicro
Critical SAP Vulnerability Exposes Enterprises2025-06-12
CVE-2025-31324 — Unrestricted File Upload | cvebase