Introduction
SAP has recently disclosed a critical zero-day security vulnerability, identified as CVE-2025-31324 [1] [3] [4] [5] [6] [7] [8] [10] [11], which affects the Visual Composer component within the SAP NetWeaver application server [1]. This vulnerability, characterized by a Missing Authorization Check [10], poses a significant risk due to its potential for full remote code execution and system compromise.
Description
SAP has disclosed and addressed a critical zero-day security vulnerability, tracked as CVE-2025-31324 [1] [3] [4] [5] [6] [7] [8] [10] [11], affecting the Visual Composer component within the SAP NetWeaver application server [1] [9], specifically the /developmentserver/metadatauploader endpoint [1] [6] [7] [11]. This high-severity flaw [10], categorized as a Missing Authorization Check (CWE-434 – Unrestricted Upload of File with Dangerous Type) [10], has been assigned the maximum severity score of 10.0 according to both CVSS v3.1 and CVSS v2. It allows unauthenticated attackers to upload arbitrary files [1] [2] [5] [6] [7] [9], including potentially harmful executable binaries such as JSP and WAR files, directly to the system [8], enabling full remote code execution (RCE) and total system compromise [1] [8].
The core issue lies in the Metadata Uploader component [4] [10], which lacks proper authorization checks [5] [10]. Exploitation is executed via crafted HTTP/HTTPS POST requests targeting the metadata uploader URL, with no authentication required [9]. Attackers can leverage this vulnerability to upload web shells into publicly accessible directories, which can then be executed remotely through simple GET requests. Once uploaded [2] [6], these malicious files are stored in a publicly accessible path: /j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/ [6]. Attackers can utilize Java’s Runtime.getRuntime().exec() method to execute arbitrary commands on the server, gaining full access to SAP resources with the privileges of the <sid>adm Operating System user.
Evidence of active exploitation has been reported [1] [4] [9], with a notable spike in attempts and the deployment of web shell backdoors on exposed systems. The vulnerability specifically impacts the Visual Composer Framework version 7.50 [11], and systems patched with the normal April 8, 2025 [11], update remain vulnerable [11]. The vulnerability was discovered by the ReliaQuest Threat Research Team during investigations into multiple SAP NetWeaver breaches [7]. The first public disclosure occurred on April 22, 2025 [9], when SAP acknowledged the issue [9], noting the presence of unfamiliar files in the SAP NetWeaver Java file system as a symptom of exploitation [9]. An emergency security update was released on April 24, 2025 [9], with an additional update provided on April 26, 2025. Organizations are strongly urged to prioritize patching [9], implementing mitigations [9], and conducting compromise assessments [9]. Given SAP’s extensive customer base of over 400,000 organizations globally [8], including many in critical industries such as manufacturing, healthcare [10], financial services [10], and government sectors [7] [8], the vulnerability poses a significant risk [3] [8], with estimates suggesting that around 10,000 SAP instances may be vulnerable [8], particularly those with the Visual Composer component enabled.
If immediate application of the fix is not possible [1], organizations are advised to disable or restrict access to the vulnerable component [1]. To assess exposure [9], organizations should verify if the Visual Composer framework (VCFRAMEWORK) is installed in their SAP systems and ensure that the patch from SAP Security Note #3594142 is applied or implement mitigations from SAP Note #3593336 [9]. Immediate actions include conducting deep scans for unauthorized web shells and reviewing logs for unauthorized access attempts, unexpected file uploads [1] [4] [6] [8], unusual execution patterns [1], and unauthorized outbound connections [1]. Indicators of compromise include the presence of files with .jsp, .java [9], or .class extensions in specific directories [9], which should be treated as malicious [9].
Consequences of exploitation include unauthorized access to sensitive SAP business data [11], potential ransomware deployment [11], lateral movement across networks [11], and long-term persistence through web shells [11]. Tools such as SOCRadar’s Vulnerability Intelligence and Attack Surface Management can assist in identifying and monitoring vulnerable software versions to enhance security measures [11]. Immediate remediation is essential to prevent data breaches and system compromises [10]. Continuous monitoring of the situation is underway [6], with advisory updates to be provided as necessary [6]. Clients utilizing vulnerability scan services will receive relevant findings if critical vulnerabilities are detected [6]. Onapsis also offers tools and guidance for identifying vulnerable systems and monitoring for exploitation attempts [9], including an open-source scanner to assist SAP customers in assessing their environments for this vulnerability [9].
Conclusion
The CVE-2025-31324 vulnerability in SAP’s Visual Composer component presents a critical threat to organizations using SAP NetWeaver. Immediate action is required to mitigate the risk, including applying patches [6] [11], restricting access [1] [6] [8], and conducting thorough security assessments. The potential impacts of exploitation are severe, with risks of unauthorized data access and system compromise. Organizations must remain vigilant, employing tools and strategies to monitor and address vulnerabilities promptly. Continuous updates and guidance from SAP and security partners will be crucial in managing this threat effectively.
References
[1] https://www.csoonline.com/article/3971211/sap-netweaver-customers-urged-to-deploy-patch-for-critical-zero-day-vulnerability.html
[2] https://www.ionix.io/blog/exploited-sap-netweaver-visual-composer-unauthenticated-file-upload-vulnerability-cve-2025-31324/
[3] https://www.tenable.com/cve/CVE-2025-31324
[4] https://www.infosecurity-magazine.com/news/sap-fixes-critical-vulnerability/
[5] https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-31324
[6] https://research.kudelskisecurity.com/2025/04/25/critical-vulnerability-in-sap-netweaver-visual-composer-cve-2025-31324/
[7] https://securityonline.info/cve-2025-31324-cvss-10-zero-day-in-sap-netweaver-exploited-in-the-wild-to-deploy-webshells-and-c2-frameworks/
[8] https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/
[9] https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
[10] https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324-fixed-actively-exploited-in-the-wild/
[11] https://socradar.io/critical-sap-netweaver-vulnerability-cve-2025-31324-allows-unauthorized-upload-of-malicious-executables/
