CVE-2025-31324
Confirmed PUBLISHEDMissing Authorization check in SAP NetWeaver (Visual Composer development server)
400 days faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
- CVE Published
- Apr 24, 2025
- Exploitation Reported
- Apr 25, 2025
- CVSS
- 10.0 Critical
- EPSS
- 99.4%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| SAP_SE |
SAP NetWeaver (Visual Composer development server)
|
VCFRAMEWORK 7.50 |
Affected |
CVE References
- me.sap.com/notes/3594142 me.sap.com · CVE Record https://me.sap.com/notes/3594142
- url.sap/sapsecuritypatchday url.sap · CVE Record https://url.sap/sapsecuritypatchday
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| Dark Reading First | 2025-04-28 21:26 UTC |
| CISA | 2026-06-02 14:08 UTC |
| The Shadowserver | 2026-06-08 00:00 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-31324.yaml | May 16, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2025-04-25 00:00:00 UTC · Tenable Blog
Used in malware
Recorded 2026-06-02 14:08:20 UTC · Tenable Blog
Proof of concept available
Recorded 2025-04-25 15:22:59 UTC · GitHub
Weaknesses (CWE)
-
Unrestricted Upload of File with Dangerous Type
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-31324.yaml | May 16, 2025 |
Recent Mentions
Dark Reading · May 15, 2025
As threat actors continue to hop on the train of exploiting CVE-2025-31324, researchers are recommending that SAP administrators patch as soon as possible so that they don't fall victim next.
TheHackerNews · May 14, 2025
At least two different cybercrime groups BianLian and RansomExx are said to have exploited a recently disclosed security flaw in SAP NetWeaver tracked as CVE-2025-31324, indicating that multiple threat actors are taking advantage of the bug. Cybersecurity firm ReliaQuest, in a new update published today, said it uncovered evidence suggesting involvement from the BianLian data extortion crew and
TheHackerNews · May 13, 2025
A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. "Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today. Targets of the campaign
Palo Alto Unit42 · May 09, 2025
CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry. The post Threat Brief: CVE-2025-31324 appeared first on Unit 42.
TheHackerNews · May 09, 2025
A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver. Forescout Vedere Labs, in a report published Thursday, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. CVE-2025-31324 refers to a critical SAP NetWeaver flaw
Horizon3.ai Attack Research · Apr 29, 2025
SAP NetWeaver Visual Composer Metadata Uploader
All CISA Advisories · Apr 29, 2025
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-31324 SAP NetWeaver Unrestricted File Upload Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Dark Reading · Apr 28, 2025
CVE-2025-31324 is a maximum severity bug that attackers exploited weeks before SAP released a patch for it.
Rapid7 · Apr 28, 2025
A critical SAP NetWeaver zero-day vulnerability (CVE-2025-31324) that allows for full SAP server compromise is being actively exploited in the wild.
Tenable Blog · Apr 25, 2025
SAP has released out-of-band patch to address CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver that has been exploited by threat actors. Organizations are strongly encouraged to apply patches as soon as possible.BackgroundOn April 22, ReliaQuest published details of their investigation of exploit activity in SAP NetWeaver servers. Initially it was unclear if their discovery was a new vulnerability or the abuse of CVE-2017-9844, a vulnerability that could lead to a denial-of-service (DoS) condition or arbitrary code execution. ReliaQuest reported their findings to SAP and on April 24, SAP disclosed CVE-2025-31324, a critical missing authorization check vulnerability with the highest severity CVSS score of 10.0.CVEDescriptionCVSSv3VPRCVE-2025-31324SAP NetWeaver Unauthenticated File Upload Vulnerability10.08.1*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 25 and reflects VPR at that time.AnalysisCVE-2025-31324 is an unauthenticated file upload vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. The flaw is the result of missing authorization checks to the “/developmentserver/metadatauploader” endpoint. According to ReliaQuest, this vulnerability has been exploited in the wild as a zero-day by threat actors who have abused the flaw to upload malicious web shells to affected hosts. These webshells were used to deploy malware and establish communications with command and control (C2) servers.Proof of conceptAt the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-31324. If a public PoC exploit becomes available, we anticipate a variety of attackers will attempt to leverage this flaw in their attacks as SAP products are…
DarkWebInformer · Apr 24, 2025
SAP NetWeaver Vulnerability (CVE-2025-31324) Allows Remote Code Execution via File Upload Flaw
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2025-04-27 11:39:26 UTC · 0 stars
CVE-2025-31324, SAP Exploit
github · Created 2025-04-25 15:22:59 UTC · 3 stars
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:00 UTC about 1 month ago00:00 UTC · about 1 month ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
14:08 UTC about 2 months ago14:08 UTC · about 2 months ago
First public exploitation report
Exploit observed in malware
-
14:08 UTC about 2 months ago14:08 UTC · about 2 months ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
08:44 UTC about 1 year ago08:44 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
21:26 UTC about 1 year ago21:26 UTC · about 1 year ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
15:22 UTC about 1 year ago15:22 UTC · about 1 year ago
Public PoC available
Public proof-of-concept code published
-
16:50 UTC about 1 year ago16:50 UTC · about 1 year ago
CVE published
Vulnerability disclosed publicly
-
23:02 UTC over 1 year ago23:02 UTC · over 1 year ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2025-31324
{
"cve_id": "CVE-2025-31324",
"title": "Missing Authorization check in SAP NetWeaver (Visual Composer development ser...",
"affected_vendor": "SAP_SE",
"affected_product": "SAP NetWeaver (Visual Composer development server)",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 10.0,
"epss_score": 0.99359,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}