Known Exploited Vulnerability
10.0
CRITICAL
CVE-2025-31324
SAP NetWeaver Unrestricted File Upload Vulnerabili - [Actively Exploited]
Description

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

INFO

Published Date :

April 24, 2025, 5:15 p.m.

Last Modified :

May 6, 2025, 8:59 p.m.

Remotely Exploitable :

Yes !

Impact Score :

6.0

Exploitability Score :

3.9
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://me.sap.com/notes/3594142 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31324

Public PoC/Exploit Available at Github

CVE-2025-31324 has a 28 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2025-31324 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Sap netweaver
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-31324.

URL Resource
https://me.sap.com/notes/3594142 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Third Party Advisory
https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/ Press/Media Coverage
https://www.theregister.com/2025/04/25/sap_netweaver_patch/ Press/Media Coverage
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

SAP NetWeaver Visual Composer Metadata Uploader 7.50 CVE-2025-31324 PoC

Python

Updated: 5 days, 14 hours ago
0 stars 0 fork 0 watcher
Born at : May 10, 2025, 6:52 p.m. This repo has been linked 1 different CVEs too.

sap-netweaver-cve-2025-31324-check

Updated: 4 days, 2 hours ago
0 stars 0 fork 0 watcher
Born at : May 8, 2025, 12:57 a.m. This repo has been linked 1 different CVEs too.

None

Python Java

Updated: 1 week, 1 day ago
2 stars 1 fork 1 watcher
Born at : May 7, 2025, 6:23 a.m. This repo has been linked 1 different CVEs too.

Research Purposes only

Java Python

Updated: 1 week, 1 day ago
2 stars 0 fork 0 watcher
Born at : May 6, 2025, 4:58 p.m. This repo has been linked 1 different CVEs too.

CVE-2025-31324 vulnerability and compromise assessment tool

Python

Updated: 1 week, 1 day ago
1 stars 0 fork 0 watcher
Born at : May 1, 2025, 6:44 p.m. This repo has been linked 1 different CVEs too.

A Python-based security scanner for identifying the CVE-2025-31324 vulnerability in SAP Visual Composer systems, and detecting known Indicators of Compromise (IOCs) such as malicious .jsp.

Python

Updated: 1 week, 2 days ago
0 stars 0 fork 0 watcher
Born at : April 30, 2025, 10:31 p.m. This repo has been linked 1 different CVEs too.

🔍 A simple Bash script to detect malicious JSP webshells, including those used in exploits of SAP NetWeaver CVE-2025-31324.

Shell PowerShell

Updated: 2 weeks, 1 day ago
0 stars 0 fork 0 watcher
Born at : April 30, 2025, 3:38 p.m. This repo has been linked 1 different CVEs too.

A totally unauthenticated file-upload endpoint in Visual Composer lets anyone drop arbitrary files (e.g., a JSP web-shell) onto the server.

Java Python

Updated: 1 week, 3 days ago
1 stars 0 fork 0 watcher
Born at : April 30, 2025, 1:39 p.m. This repo has been linked 1 different CVEs too.

Python-based Burp Suite extension is designed to detect the presence of CVE-2025-31324

Python

Updated: 2 weeks ago
0 stars 0 fork 0 watcher
Born at : April 30, 2025, 6:34 a.m. This repo has been linked 1 different CVEs too.

Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader

Python

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : April 29, 2025, 9:46 a.m. This repo has been linked 1 different CVEs too.

Proof-of-Concept for CVE-2025-31324: Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader

Java Python Shell

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : April 29, 2025, 12:16 a.m. This repo has been linked 1 different CVEs too.

Proof-of-Concept for CVE-2025-31324: Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader

Python Java Shell

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : April 28, 2025, 8:32 p.m. This repo has been linked 1 different CVEs too.

SAP NetWeaver Unauthenticated Remote Code Execution

Python

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : April 28, 2025, 1:19 p.m. This repo has been linked 1 different CVEs too.

Nuclei template for cve-2025-31324 (SAP)

Updated: 2 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : April 28, 2025, 1:43 a.m. This repo has been linked 1 different CVEs too.

SAP PoC para CVE-2025-31324

netweaver sap cve-2025-31324

Python

Updated: 1 week, 2 days ago
0 stars 0 fork 0 watcher
Born at : April 28, 2025, 1:32 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-31324 vulnerability anywhere in the article.

  • The Hacker News
Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell

Vulnerability / Industrial Security A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver. Forescout Vedere Labs, in a r ... Read more

Published Date: May 09, 2025 (1 week ago)
  • Dark Reading
'Easily Exploitable' Langflow Vulnerability Requires Immediate Patching

Source: Alexey Kotelnikov via Alamy Stock PhotoNEWS BRIEFA critical flaw found in the open source Langflow platform was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA's) Know ... Read more

Published Date: May 06, 2025 (1 week, 2 days ago)
  • Dark Reading
CISA Warns 2 SonicWall Vulnerabilities Under Active Exploitation

Source: ktdesign via Alamy Stock PhotoNEWS BRIEFCISA added two older SonicWall bugs to the Known Exploited Vulnerabilities (KEV) catalog, marking the latest threat activity targeting the network secur ... Read more

Published Date: May 06, 2025 (1 week, 2 days ago)
  • The Register
Microsoft tries to knife passwords once and for all - at least for consumers

Infosec In Brief Microsoft has decided to push its consumer customers to dump password in favor of passkeys. The software giant announced the move Thursday, May 1, traditionally known as "World Passwo ... Read more

Published Date: May 04, 2025 (1 week, 4 days ago)
  • Help Net Security
Week in review: Critical SAP NetWeaver flaw exploited, RSAC 2025 Conference

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: RSAC 2025 Conference RSAC 2025 Conference took place at the Moscone Center in San Francisco. Check out ... Read more

Published Date: May 04, 2025 (1 week, 5 days ago)
  • Red Canary
Critical vulnerability in SAP NetWeaver enables malicious file uploads

Adversaries can exploit CVE-2025-31324 to upload web shells and other unauthorized files to execute on the SAP NetWeaver server April 30, 2025Red Canary has observed activity exploiting a newly-docume ... Read more

Published Date: Apr 30, 2025 (2 weeks, 1 day ago)
  • TheCyberThrone
CISA Adds SAP NetWeaver Vulnerability to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting SAP NetWeaver to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the urgency of ... Read more

Published Date: Apr 30, 2025 (2 weeks, 1 day ago)
  • Cyber Security News
CISA Warns SAP 0-day Vulnerability Exploited in the Wild

CISA has added a critical SAP NetWeaver vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 29, 2025. The zero-day flaw, tracked as CVE-2025-31324, carries a maximum CVSS score ... Read more

Published Date: Apr 30, 2025 (2 weeks, 2 days ago)
  • Dark Reading
Many Fuel Tank Monitoring Systems Vulnerable to Disruption

Source: jittawit21 via ShutterstockInternet-connected automatic tank gauges (ATGs) pose a serious but often overlooked cyber-risk to the thousands of gas stations, fuel depots, and facilities that rel ... Read more

Published Date: Apr 29, 2025 (2 weeks, 2 days ago)
  • Dark Reading
SAP NetWeaver Visual Composer Flaw Under Active Exploitation

Source: SuPatMaN via ShutterstockAttackers are actively exploiting a recently patched zero-day vulnerability in SAP's NetWeaver Visual Composer Web-based software modeling tool.CVE-2025-31324 is a cri ... Read more

Published Date: Apr 28, 2025 (2 weeks, 3 days ago)
  • BleepingComputer
Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw

Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers. SAP NetW ... Read more

Published Date: Apr 28, 2025 (2 weeks, 3 days ago)
  • Cyber Security News
SAP NetWeaver 0-Day Vulnerability Exploited in the Wild to Deploy Webshells

SAP released an emergency out-of-band patch addressing CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver Visual Composer with the highest possible CVSS score of 10.0. This vulnerabili ... Read more

Published Date: Apr 28, 2025 (2 weeks, 3 days ago)
  • security.nl
'Honderden SAP NetWeaver-installaties bevatten zeer kritiek lek'

Honderden SAP NetWeaver-installaties die vanaf internet toegankelijk zijn bevatten een zeer kritieke kwetsbaarheid waardoor systemen op afstand zijn te compromitteren, zo laat The Shadowserver Foundat ... Read more

Published Date: Apr 28, 2025 (2 weeks, 3 days ago)
  • Help Net Security
Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324)

CVE-2025-31324, a critical vulnerability in the SAP NetWeaver platform, is being actively exploited by attackers to upload malicious webshells to enable unauthorized file uploads and code execution. T ... Read more

Published Date: Apr 28, 2025 (2 weeks, 4 days ago)
  • Cyber Security News
400+ SAP NetWeaver Devices Vulnerable to 0-Day Attacks that Exploited in the Wild

Shadow Servers have identified 454 SAP NetWeaver systems vulnerable to a critical zero-day vulnerability that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, all ... Read more

Published Date: Apr 28, 2025 (2 weeks, 4 days ago)
  • Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
SAP NetWeaver Flaw Scores 10.0 Severity as Hackers Deploy Web Shells

A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer puts systems at risk of full compromise. Learn how to check if your SAP Java systems are affected and the immediate steps to ... Read more

Published Date: Apr 26, 2025 (2 weeks, 5 days ago)
  • The Register
Emergency patch for potential SAP zero-day that could grant full system control

SAP's latest out-of-band patch is for a perfect 10/10 bug in NetWeaver that experts suspect could have already been exploited as a zero-day. However, we can't say for sure whether that's the case beca ... Read more

Published Date: Apr 25, 2025 (2 weeks, 6 days ago)
  • security.nl
SAP komt met noodpatch voor actief aangevallen NetWeaver-lek

SAP heeft een noodpatch uitgebracht voor een actief aangevallen kritieke kwetsbaarheid in NetWeaver. "De kwetsbaarheid laatg aanvallers volledige controle over SAP-bedrijfsdata en -processen, waaronde ... Read more

Published Date: Apr 25, 2025 (2 weeks, 6 days ago)
  • BleepingComputer
SAP fixes suspected Netweaver zero-day exploited in attacks

SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers. The vulnerability, tracked under CVE-2025-31 ... Read more

Published Date: Apr 25, 2025 (2 weeks, 6 days ago)
  • The Hacker News
SAP Confirms Critical NetWeaver Flaw Amid Suspected Zero-Day Exploitation by Hackers

Vulnerability / Enterprise Security Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code e ... Read more

Published Date: Apr 25, 2025 (2 weeks, 6 days ago)
  • Daily CyberSecurity
Critical AMI BMC Vulnerability: Patch Your ASUS Workstation Now

Veteran PC users are likely familiar with encountering messages from American Megatrends International (AMI) during system startup. AMI stands as a leading provider of BIOS and UEFI firmware solutions ... Read more

Published Date: Apr 25, 2025 (3 weeks ago)
  • Daily CyberSecurity
CVE-2025-31324 (CVSS 10): Zero-Day in SAP NetWeaver Exploited in the Wild to Deploy Webshells and C2 Frameworks

A critical zero-day vulnerability affecting SAP NetWeaver Visual Composer MetadataUploader, now tracked as CVE-2025-31324, is being actively exploited in the wild to compromise enterprise and governme ... Read more

Published Date: Apr 25, 2025 (3 weeks ago)

The following table lists the changes that have been made to the CVE-2025-31324 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    May. 06, 2025

    Action Type Old Value New Value
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    May. 02, 2025

    Action Type Old Value New Value
    Added Reference https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
  • Initial Analysis by [email protected]

    May. 02, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration OR *cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*
    Added Reference Type SAP SE: https://me.sap.com/notes/3594142 Types: Permissions Required
    Added Reference Type CISA-ADP: https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Types: Third Party Advisory
    Added Reference Type SAP SE: https://url.sap/sapsecuritypatchday Types: Vendor Advisory
    Added Reference Type CVE: https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/ Types: Press/Media Coverage
    Added Reference Type CVE: https://www.theregister.com/2025/04/25/sap_netweaver_patch/ Types: Press/Media Coverage
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    May. 01, 2025

    Action Type Old Value New Value
    Added Reference https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Apr. 30, 2025

    Action Type Old Value New Value
    Added Date Added 2025-04-29
    Added Due Date 2025-05-20
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name SAP NetWeaver Unrestricted File Upload Vulnerability
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 26, 2025

    Action Type Old Value New Value
    Added Reference https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
    Added Reference https://www.theregister.com/2025/04/25/sap_netweaver_patch/
  • New CVE Received by [email protected]

    Apr. 24, 2025

    Action Type Old Value New Value
    Added Description SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-434
    Added Reference https://me.sap.com/notes/3594142
    Added Reference https://url.sap/sapsecuritypatchday
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-31324 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-31324 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
© cvefeed.io
Latest DB Update: May. 16, 2025 9:58