Hoplon InfoSec
30 Apr, 2025
On April 29, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in SAP NetWeaver to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-31324, this zero-day flaw carries a maximum CVSS 3.1 score of 10.0 and has been exploited in the wild since at least March 2025. Organizations running SAP NetWeaver Application Server Java (AS Java) with the Visual Composer component must take immediate action to prevent full system compromise.
SAP NetWeaver Visual Composer is a graphical, model-driven tool that enables business users and process specialists to build applications without writing code manually. Although not installed by default, Visual Composer is estimated to be enabled on 50–70 percent of SAP Java systems because of its ease of use and popularity in rapid application development.
CVE-2025-31324 is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. The Metadata Uploader component does not enforce authentication or file-type restrictions, allowing unauthenticated attackers to submit arbitrary files, including executable binaries or JSP web shells, to the target server.
Once a malicious JSP web shell is uploaded, threat actors gain the ability to execute arbitrary code in the context of the Java application server. This effectively hands over complete control of the SAP system, enabling:
According to Onapsis, exploitation can result in “immediate full compromise” of affected environments, making CVE-2025-31324 one of the most severe SAP vulnerabilities in recent years.
Enterprises often focus security investments on perimeter defenses and cloud workloads, leaving legacy SAP systems relatively under-hardened. Visual Composer endpoints may be inadvertently exposed to untrusted networks, increasing the likelihood of successful attacks.
SAP has published guidance on how to look for unfamiliar .jsp, .java, or .class files under Visual Composer directories. Key directories to audit include:
Monitoring HTTP POST requests to /development server/metadatauploader—especially those returning 200 OK status codes with large payloads—can reveal file-upload attempts. Integrate these patterns into SIEM alerts to flag potential exploitation.
SAP’s Security Note #3594142 provides a corrective update introducing authentication checks and file-type validation in the Metadata Uploader component. Organizations should:
For environments that cannot immediately install the emergency patch, SAP recommends:
Federal civilian agencies in the United States must remediate CVE-2025-31324 by May 20, 2025, per CISA’s Binding Operational Directive (BOD) 22-01. Non-compliance may trigger increased oversight and reporting mandates.
Beyond federal requirements, all organizations handling sensitive data should treat this vulnerability as a top priority. Recommended actions:
CVE-2025-31324 represents a critical risk to any organization using SAP NetWeaver Visual Composer. Its unrestricted file upload nature enables unauthenticated remote code execution, leading to full system takeover and data exfiltration. Immediate application of SAP’s emergency patch (Security Note #3594142) or implementation of temporary mitigations (SAP Note #3593336) is essential. Furthermore, enterprises must adopt long-term hardening measures, such as turning off unused components, strengthening network segmentation, and enhancing monitoring, to reduce the attack surface of their SAP landscapes. By treating low-code and graphical development tools with the same security scrutiny as custom code, organizations can better defend against advanced threat actors targeting mission-critical business systems.
Share this :