CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2025-31324

Critical Severity
Sap
SVRS
99/100
CVSSv3
10.0/10
EPSS
0.58471/1

CVE-2025-31324 is a critical vulnerability in SAP NetWeaver Visual Composer, allowing unauthenticated agents to upload malicious executables. This unauthorized access can severely compromise the host system, potentially leading to significant damage. With an SVRS of 99, CVE-2025-31324 demands immediate attention and remediation efforts. The lack of proper authorization in the Metadata Uploader component allows attackers to introduce malware, threatening the confidentiality, integrity, and availability of sensitive data. Active exploits are available, making it imperative to patch this vulnerability promptly. Due to the severe risk and the active exploitation in the wild, organizations using affected versions of SAP NetWeaver should prioritize patching CVE-2025-31324 to prevent potential system compromise. This vulnerability is particularly significant because it provides a direct pathway for attackers to inject malicious code into the system without authentication, posing a substantial risk to business operations.

TAGS
In The Wild
Exploit Avaliable
CISA KEV
Exploit Available
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:C
C:H
I:H
A:H
PUBLICATION DATE2025-05-01
LAST MODIFIED2025-04-24
Eye Icon
SOCRadar
AI Insight

Description

CVE-2025-31324 describes a critical vulnerability in SAP NetWeaver Visual Composer Metadata Uploader. This vulnerability stems from a lack of proper authorization, enabling unauthenticated attackers to upload malicious executable binaries. While the CVSS score is 10, indicating maximum severity, the SOCRadar Vulnerability Risk Score (SVRS) is 60. Although not above 80, which is the threshold for critical vulnerability, the lack of authentication makes it potentially easy for attackers to exploit this vulnerability. Successful exploitation could lead to severe compromise of the host system's confidentiality, integrity, and availability.

Key Insights

  • Unauthenticated Upload: The core of the vulnerability lies in the lack of authentication for the Metadata Uploader. This means an attacker does not need valid credentials to exploit the flaw, significantly lowering the barrier to entry.
  • Arbitrary Code Execution: The ability to upload executable binaries allows an attacker to execute arbitrary code on the affected system. This can range from installing malware and creating backdoors to data exfiltration and system disruption.
  • High CVSS, Moderate SVRS: The high CVSS score (10) reinforces the potential impact of successful exploitation. While the SVRS is moderate (60), it is essential to consider the severity of the attack because of the complete lack of authentication needed to upload executable binaries.

Mitigation Strategies

  • Implement Authentication: The immediate and most critical step is to implement robust authentication mechanisms for the SAP NetWeaver Visual Composer Metadata Uploader. Restricting access to authorized users will prevent unauthenticated uploads.
  • Input Validation and Sanitization: Introduce strict input validation and sanitization measures to prevent the upload of malicious executable binaries, even if an attacker manages to bypass authentication controls. Check that the file is valid and does not contain any malicious code.
  • Apply Security Patches: Apply the latest security patches provided by SAP as soon as they are available. Patching is crucial to remediate the underlying vulnerability and prevent exploitation.
  • Network Segmentation: Implement network segmentation to limit the potential impact of a successful attack. Isolating the affected SAP system from other critical infrastructure can prevent lateral movement and contain the damage.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
redrays-io/CVE-2025-31324https://github.com/redrays-io/CVE-2025-313242025-04-27
moften/CVE-2025-31324https://github.com/moften/CVE-2025-313242025-04-28
ODST-Forge/CVE-2025-31324_PoChttps://github.com/ODST-Forge/CVE-2025-31324_PoC2025-04-28
SAP NetWeaver Unrestricted File Upload Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2025-313242025-04-29
abrewer251/CVE-2025-31324_PoC_SAPhttps://github.com/abrewer251/CVE-2025-31324_PoC_SAP2025-04-29
respondiq/jsp-webshell-scannerhttps://github.com/respondiq/jsp-webshell-scanner2025-04-30
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

Understanding the challenges of securing an NGO
Joe Marshall2025-05-01
Understanding the challenges of securing an NGO | Joe talks about how helping the helpers can put a fire in you and the importance of keeping nonprofits cybersecure.Welcome to this week’s edition of the Threat Source newsletter. Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C
rss
blogger.com
forum
news
Critical SAP Zero-Day Vulnerability Under Active Exploitation - ERP Today
2025-05-01
Critical SAP Zero-Day Vulnerability Under Active Exploitation - ERP Today | News Content: ON DEMAND Evidence of active attacks against this vulnerability has been observed by ReliaQuest, Onapsis Threat Intelligence, and confirmed by multiple IR firms in recent active investigations. Explore related questions SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324) 04_29_25" src="https://player.vimeo.com/video/1080323462?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0"> Key Topics Discussed Security
google.com
rss
forum
news
U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini2025-04-30
U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog | U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA)&#160;added SAP NetWeaver flaw, tracked as CVE-2025-31324, to its Known Exploited Vulnerabilities (KEV) catalog. Last week, researchers warned that a zero-day vulnerability, tracked as&#160;CVE-2025-31324&#160;(CVSS score of 10/10), in SAP NetWeaver is [&#8230;] <h2 class
securityaffairs.co
rss
forum
news
Mais de 1200 servidores SAP vulneráveis na web
Da Redação2025-04-29
Mais de 1200 servidores SAP vulneráveis na web | Mais de 1.200 servidores SAP NetWeaver expostos à internet estão vulneráveis a uma falha crítica que permite o sequestro remoto de sistemas sem necessidade de autenticação. A vulnerabilidade, identificada como CVE-2025-31324, foi publicada pela SAP na semana passada e já está sendo usada em ataques ativos. Leia também RSA começa neste domingo em São FranciscoGangue [&#8230;] Fonte
cisoadvisor.com.br
rss
forum
news
CISA Adds One Known Exploited Vulnerability to Catalog
CISA2025-04-29
CISA Adds One Known Exploited Vulnerability to Catalog | CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. <a class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" href="https://www.cve.org/CVERecord?id=CVE-2025-31324" rel="noreferrer noopener" target="_blank" title="CVE
cisa.gov
rss
forum
news
SAP NetWeaver CVE-2025–31324 Lab setup
Anil Yellamati2025-04-28
SAP NetWeaver CVE-2025–31324 Lab setup | Vulnerability Overview: CVE-2025&#x2013;31324 is a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer&#x2019;s Metadata&#x2026;Continue reading on Medium »<
medium.com
rss
forum
news
Threat Actors Hacking SAP Critical Zero-Day
2025-04-28
Threat Actors Hacking SAP Critical Zero-Day | Unauthenticated Hackers Exploit CVE-2025-31324 to Upload WebshellsThreat actors are exploiting a zero-day flaw in a partially deprecated SAP tool still widely used by governments and businesses. On Friday, SAP's security division, Onapsis, disclosed that CVE-2025-31324 is "actively exploited in the wild."
bankinfosecurity.com
rss
forum
news

Social Media

Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-31324 #SAP #NetWeaver Unrestricted File Upload Vulnerability https://t.co/kMKTM7IiWt
0
0
0
🚨 New SAP Zero-Day – CVE-2025-31324 (CVSS 9.9) Critical unauthenticated access flaw in SAP NetWeaver AS Java SAP environments just got hit with a major vulnerability — CVE-2025-31324 — a missing authentication check in the UDDI
0
0
0
Detect CVE-2025-31324 exploits — a max-severity zero-day in SAP NetWeaver enabling RCE and full system compromise — with a set of Sigma rules in the SOC Prime Platform. Sigma Rules: https://t.co/QoqCa8iuBa Details: https://t.co/stgHBo3Lgs #CVE #CVE202531324 #ZeroDay #SigmaRules
0
1
3
Detect CVE-2025-31324 exploits — a max-severity zero-day in SAP NetWeaver enabling RCE and full system compromise — with a set of Sigma rules in the SOC Prime Platform. Sigma Rules: https://t.co/QoqCa8iuBa Details: https://t.co/Th2cKILMpm #CVE #CVE202531324 #ZeroDay #SigmaRules
0
0
0
🎙️ New #ShadowTalk Episode: Demystifying CVE-2025-31324, the Critical SAP NetWeaver Flaw Join host Kim, detection engineer Marken, and intelligence analyst Alex as they dive into: ✅ ReliaQuest's discovery of the critical SAP NetWeaver vulnerability ✅ AI upgrades in the https://t.co/MfNBhNI6Ky
0
0
0
SAP NetWeaver CVE-2025-31324 Exploitation https://t.co/kjcw1IXkyb
0
0
0
RT @WhichbufferArda: The SAP NetWeaver exploit (CVE-2025-31324) is seriously bad. I’ve seen some of the targets, it’s horrifying. There are…
0
9
0
Failed to exploit SAP Visual Composer CVE-2025-31324 vulnerability! Why? Response: https://t.co/Do2sLMGS6x
0
0
0
CVE-2025-31324 is a maximum severity bug that attackers exploited weeks before SAP released a patch for it. Shared via the Google app https://t.co/J1GHSm7VOj
0
0
0
CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild https://t.co/vXLtDmlH6M https://t.co/EmR2V4e4aZ
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
AppSapnetweaver_application_server_java

References

ReferenceLink
[email protected]https://me.sap.com/notes/3594142
[email protected]https://url.sap/sapsecuritypatchday
AF854A3A-2127-422B-91AE-364DA2661108https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
AF854A3A-2127-422B-91AE-364DA2661108https://www.theregister.com/2025/04/25/sap_netweaver_patch/
[email protected]https://me.sap.com/notes/3594142
[email protected]https://url.sap/sapsecuritypatchday

CWE Details

CWE IDCWE NameDescription
CWE-434Unrestricted Upload of File with Dangerous TypeThe software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence