CVE-2025-31324
SAP NetWeaver Unrestricted File Upload Vulnerabili - [Actively Exploited]
Description
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
INFO
Published Date :
April 24, 2025, 5:15 p.m.
Last Modified :
May 6, 2025, 8:59 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
6.0
Exploitability Score :
3.9
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://me.sap.com/notes/3594142 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31324
Public PoC/Exploit Available at Github
CVE-2025-31324 has a 28 public PoC/Exploit
available at Github.
Go to the Public Exploits
tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-31324
.
URL | Resource |
---|---|
https://me.sap.com/notes/3594142 | Permissions Required |
https://url.sap/sapsecuritypatchday | Vendor Advisory |
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ | Third Party Advisory |
https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/ | Press/Media Coverage |
https://www.theregister.com/2025/04/25/sap_netweaver_patch/ | Press/Media Coverage |
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ | Third Party Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
SAP NetWeaver Visual Composer Metadata Uploader 7.50 CVE-2025-31324 PoC
Python
sap-netweaver-cve-2025-31324-check
None
Python Java
Research Purposes only
Java Python
CVE-2025-31324 vulnerability and compromise assessment tool
Python
A Python-based security scanner for identifying the CVE-2025-31324 vulnerability in SAP Visual Composer systems, and detecting known Indicators of Compromise (IOCs) such as malicious .jsp.
Python
🔍 A simple Bash script to detect malicious JSP webshells, including those used in exploits of SAP NetWeaver CVE-2025-31324.
Shell PowerShell
A totally unauthenticated file-upload endpoint in Visual Composer lets anyone drop arbitrary files (e.g., a JSP web-shell) onto the server.
Java Python
Python-based Burp Suite extension is designed to detect the presence of CVE-2025-31324
Python
Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader
Python
Proof-of-Concept for CVE-2025-31324: Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader
Java Python Shell
Proof-of-Concept for CVE-2025-31324: Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader
Python Java Shell
SAP NetWeaver Unauthenticated Remote Code Execution
Python
Nuclei template for cve-2025-31324 (SAP)
SAP PoC para CVE-2025-31324
netweaver sap cve-2025-31324
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-31324
vulnerability anywhere in the article.

-
The Hacker News
Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
Vulnerability / Industrial Security A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver. Forescout Vedere Labs, in a r ... Read more

-
Dark Reading
'Easily Exploitable' Langflow Vulnerability Requires Immediate Patching
Source: Alexey Kotelnikov via Alamy Stock PhotoNEWS BRIEFA critical flaw found in the open source Langflow platform was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA's) Know ... Read more

-
Dark Reading
CISA Warns 2 SonicWall Vulnerabilities Under Active Exploitation
Source: ktdesign via Alamy Stock PhotoNEWS BRIEFCISA added two older SonicWall bugs to the Known Exploited Vulnerabilities (KEV) catalog, marking the latest threat activity targeting the network secur ... Read more

-
The Register
Microsoft tries to knife passwords once and for all - at least for consumers
Infosec In Brief Microsoft has decided to push its consumer customers to dump password in favor of passkeys. The software giant announced the move Thursday, May 1, traditionally known as "World Passwo ... Read more

-
Help Net Security
Week in review: Critical SAP NetWeaver flaw exploited, RSAC 2025 Conference
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: RSAC 2025 Conference RSAC 2025 Conference took place at the Moscone Center in San Francisco. Check out ... Read more

-
Red Canary
Critical vulnerability in SAP NetWeaver enables malicious file uploads
Adversaries can exploit CVE-2025-31324 to upload web shells and other unauthorized files to execute on the SAP NetWeaver server April 30, 2025Red Canary has observed activity exploiting a newly-docume ... Read more

-
TheCyberThrone
CISA Adds SAP NetWeaver Vulnerability to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting SAP NetWeaver to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the urgency of ... Read more

-
Cyber Security News
CISA Warns SAP 0-day Vulnerability Exploited in the Wild
CISA has added a critical SAP NetWeaver vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 29, 2025. The zero-day flaw, tracked as CVE-2025-31324, carries a maximum CVSS score ... Read more

-
Dark Reading
Many Fuel Tank Monitoring Systems Vulnerable to Disruption
Source: jittawit21 via ShutterstockInternet-connected automatic tank gauges (ATGs) pose a serious but often overlooked cyber-risk to the thousands of gas stations, fuel depots, and facilities that rel ... Read more

-
Dark Reading
SAP NetWeaver Visual Composer Flaw Under Active Exploitation
Source: SuPatMaN via ShutterstockAttackers are actively exploiting a recently patched zero-day vulnerability in SAP's NetWeaver Visual Composer Web-based software modeling tool.CVE-2025-31324 is a cri ... Read more

-
BleepingComputer
Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers. SAP NetW ... Read more

-
Cyber Security News
SAP NetWeaver 0-Day Vulnerability Exploited in the Wild to Deploy Webshells
SAP released an emergency out-of-band patch addressing CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver Visual Composer with the highest possible CVSS score of 10.0. This vulnerabili ... Read more

-
security.nl
'Honderden SAP NetWeaver-installaties bevatten zeer kritiek lek'
Honderden SAP NetWeaver-installaties die vanaf internet toegankelijk zijn bevatten een zeer kritieke kwetsbaarheid waardoor systemen op afstand zijn te compromitteren, zo laat The Shadowserver Foundat ... Read more

-
Help Net Security
Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324)
CVE-2025-31324, a critical vulnerability in the SAP NetWeaver platform, is being actively exploited by attackers to upload malicious webshells to enable unauthorized file uploads and code execution. T ... Read more

-
Cyber Security News
400+ SAP NetWeaver Devices Vulnerable to 0-Day Attacks that Exploited in the Wild
Shadow Servers have identified 454 SAP NetWeaver systems vulnerable to a critical zero-day vulnerability that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, all ... Read more

-
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
SAP NetWeaver Flaw Scores 10.0 Severity as Hackers Deploy Web Shells
A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer puts systems at risk of full compromise. Learn how to check if your SAP Java systems are affected and the immediate steps to ... Read more

-
The Register
Emergency patch for potential SAP zero-day that could grant full system control
SAP's latest out-of-band patch is for a perfect 10/10 bug in NetWeaver that experts suspect could have already been exploited as a zero-day. However, we can't say for sure whether that's the case beca ... Read more

-
security.nl
SAP komt met noodpatch voor actief aangevallen NetWeaver-lek
SAP heeft een noodpatch uitgebracht voor een actief aangevallen kritieke kwetsbaarheid in NetWeaver. "De kwetsbaarheid laatg aanvallers volledige controle over SAP-bedrijfsdata en -processen, waaronde ... Read more

-
BleepingComputer
SAP fixes suspected Netweaver zero-day exploited in attacks
SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers. The vulnerability, tracked under CVE-2025-31 ... Read more

-
The Hacker News
SAP Confirms Critical NetWeaver Flaw Amid Suspected Zero-Day Exploitation by Hackers
Vulnerability / Enterprise Security Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code e ... Read more

-
Daily CyberSecurity
Critical AMI BMC Vulnerability: Patch Your ASUS Workstation Now
Veteran PC users are likely familiar with encountering messages from American Megatrends International (AMI) during system startup. AMI stands as a leading provider of BIOS and UEFI firmware solutions ... Read more

-
Daily CyberSecurity
CVE-2025-31324 (CVSS 10): Zero-Day in SAP NetWeaver Exploited in the Wild to Deploy Webshells and C2 Frameworks
A critical zero-day vulnerability affecting SAP NetWeaver Visual Composer MetadataUploader, now tracked as CVE-2025-31324, is being actively exploited in the wild to compromise enterprise and governme ... Read more
The following table lists the changes that have been made to the
CVE-2025-31324
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
May. 06, 2025
Action Type Old Value New Value -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
May. 02, 2025
Action Type Old Value New Value Added Reference https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ -
Initial Analysis by [email protected]
May. 02, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:* Added Reference Type SAP SE: https://me.sap.com/notes/3594142 Types: Permissions Required Added Reference Type CISA-ADP: https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Types: Third Party Advisory Added Reference Type SAP SE: https://url.sap/sapsecuritypatchday Types: Vendor Advisory Added Reference Type CVE: https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/ Types: Press/Media Coverage Added Reference Type CVE: https://www.theregister.com/2025/04/25/sap_netweaver_patch/ Types: Press/Media Coverage -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 01, 2025
Action Type Old Value New Value Added Reference https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Apr. 30, 2025
Action Type Old Value New Value Added Date Added 2025-04-29 Added Due Date 2025-05-20 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name SAP NetWeaver Unrestricted File Upload Vulnerability -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 26, 2025
Action Type Old Value New Value Added Reference https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/ Added Reference https://www.theregister.com/2025/04/25/sap_netweaver_patch/ -
New CVE Received by [email protected]
Apr. 24, 2025
Action Type Old Value New Value Added Description SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-434 Added Reference https://me.sap.com/notes/3594142 Added Reference https://url.sap/sapsecuritypatchday
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-31324
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-31324
weaknesses.