Visual Composer: SAP NetWeaver Visual Composer Metadata Uploader unrestricted file upload (CVE-2025-31324) (CVE-2025-31324) #shorts
Summary
In this episode, we dive into CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver Visual Composer that is being actively exploited in the wild. We’ll cover what’s at risk, how the flaw works, and what organizations need to do right now to protect their systems.
Product details
The vulnerability resides in the SAP NetWeaver Visual Composer Metadata Uploader, specifically version VCFRAMEWORK 7.50. This component is used by developers to import metadata and models into the Visual Composer design environment. SAP has released an out-of-band security patch to address this issue.
Vulnerability type summary
CVE-2025-31324 is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. In essence, the uploader lacks proper authorization checks, allowing unauthenticated users to send arbitrary executable files to the server.
Details of the vulnerability
An attacker can exploit the missing authorization in the metadata uploader to upload malicious binaries directly to the host. Once uploaded, these executables can be triggered on the server, leading to remote code execution, full system compromise, and potential lateral movement across the network. Reports indicate active exploitation, making this a high-priority patch for all affected environments.
Conclusion
Organizations using SAP NetWeaver Visual Composer should immediately apply the out-of-band patch provided by SAP. Review access logs for suspicious upload attempts, restrict inbound traffic to the uploader endpoint, and ensure all development servers are isolated. Prompt remediation will prevent attackers from gaining a foothold and protect the confidentiality, integrity, and availability of your SAP landscape.
Watch the full video on YouTube: CVE-2025-31324
Remediation and exploitation details
This chain involves the following actors
This following systems are involved
Attack entry point
Remediation actions
Exploitation actions
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://me.sap.com/notes/3594142
- https://url.sap/sapsecuritypatchday
- [2025-04-28] SAP NetWeaver zero-day vulnerability CVE-2025-31324 is being actively exploited.
- [2025-04-25] SAP releases out-of-band patch for critical zero-day vulnerability CVE-2025-31324 in SAP NetWeaver.
- [2025-05-12] Second wave of attacks on SAP NetWeaver platforms due to CVE-2025-31324 vulnerability.
- [2025-05-06] Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324.
- [2025-04-29] Over 400 SAP NetWeaver servers are affected by an exploited remote code execution vulnerability, CVE-2025-31324.
- [2025-04-26] SAP NetWeaver Visual Composer has a critical vulnerability (CVE-2025-31324) that could lead to full system compromise.
- [2025-05-01] SAP NetWeaver Zero-Day Vulnerability CVE-2025-31324 Under Active Exploitation