CVE-2025-31324

Published Apr 24, 2025

Last updated 2 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-31324 is a vulnerability affecting SAP NetWeaver Visual Composer Metadata Uploader. The core issue is a missing authorization check, which allows unauthenticated attackers to upload potentially malicious executable binaries to the system. This vulnerability can be exploited by crafting malicious POST requests to deliver webshells, enabling attackers to execute system commands, upload unauthorized files, seize control of compromised systems, execute remote code, and potentially steal sensitive data.

Description
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Source
cna@sap.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
SAP NetWeaver Unrestricted File Upload Vulnerability
Exploit added on
Apr 29, 2025
Exploit action due
May 20, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

cna@sap.com
CWE-434

Social media

Hype score
Not currently trending
  1. 🚨 Exploitation active de la CVE-2025-31324 (CVSS 10) dans SAP NetWeaver. Le CERT-Sysdream analyse les modes d’attaque, les groupes impliqués, les IoC et les cibles (infras critiques, gouvernement…). 📖 À lire ici absolument : https://t.co/ekUkV1U2dX https://t.co/4AyBP

    @Hub_One

    17 Jul 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. #threatreport #LowCompleteness Adversary Infrastructure and Indicators Behind the SAP NetWeaver 0-Day Exploitation | 14-07-2025 Source: https://t.co/zkqaxwyB3u Key details below ↓ 💀Threats: Cobalt_strike_tool, 🔓CVEs: CVE-2025-31324 \[[Vulners](https://t.co/NbtjwfWs3M)]

    @rst_cloud

    15 Jul 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 🚨 🚨 Exploitation active de la CVE-2025-31324 (CVSS 10) dans SAP NetWeaver. Le CERT-Sysdream analyse les modes d’attaque, les groupes impliqués, les IoC et les cibles (infras critiques, gouvernement…). 📖 À lire : https://t.co/r1f9fYa7hu https://t.co/U4xhZO823q

    @sysdream

    10 Jul 2025

    138 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    6 Jul 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    6 Jul 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    5 Jul 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. #threatreport #LowCompleteness SAP NetWeaver CVE-202 | 29-06-2025 Source: https://t.co/tX39Oy2JsU Key details below ↓ 💀Threats: Xmrig_miner, 🎯Victims: Sap netweaver server administrators, Sap customers 🔓CVEs: CVE-2025-31324 \[[Vulners](https://t.co/NbtjwfWs3M)] -

    @rst_cloud

    30 Jun 2025

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    30 Jun 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    29 Jun 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    28 Jun 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    28 Jun 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure via @Darktrace #Cybersecurity https://t.co/W7pzHb1xo3

    @GothamTG

    26 Jun 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. In this episode of IT SPARC Cast - CVE of The Week, @john_Video and @loudoggeek break down CVE-2025-31324 — a critical remote code execution vulnerability in SAP NetWeaver’s Visual Composer. With a CVSS score of 9.8, this exploit is not just theory — it’s actively being h

    @ITSPARCCast

    24 Jun 2025

    92 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    1 Quote

  14. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    24 Jun 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  15. Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure - Darktrace https://t.co/dQRfNCQ7qD #hacking #cybersecurity https://t.co/Ckza9RBp8Z

    @cliffvazquez

    23 Jun 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    23 Jun 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    22 Jun 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  18. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    21 Jun 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  19. CVE-2025-31324 in SAP NetWeaver Visual Composer allows remote code execution via file upload. Chinese APTs & ransomware groups exploited it to deploy KrustyLoader & JuicyPotato, with Darktrace detecting early threats. 🚨 #SAP #CyberThreats #China https://t.co/XMXlBOji8W

    @TweetThreatNews

    19 Jun 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🚨 3 Critical CVEs – Patch Now! 🔒 Linux (CVE-2025-6018/6019): Root via udisks + PAM ✅ Update all major distros 🧨 Veeam (CVE-2025-23121): RCE via domain user ✅ Patch to v12.1.2.1722 🔥 SAP (CVE-2025-31324): CVSS 10.0 zero-day ✅ Apply Apr/May 2025 SAP Notes htt

    @Samuel257196756

    19 Jun 2025

    79 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure https://t.co/wieOCUS9xU A critical vulnerability, CVE-2025-31324, has been disclosed in SAP’s NetWeaver Visual Composer, a widely used application server and development

    @f1tym1

    16 Jun 2025

    66 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🔎 In May’s VulnTracking report, we take a deep dive into SAP NetWeaver (CVE-2025-31324). What we discovered: When public exploits were released, bad actors (such as botnets) and legitimate security scanners surged simultaneously, proving both sides depend on the same https:

    @Crowd_Security

    6 Jun 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Comment: Given the active exploitation, have there been analyses of the ransomware actors’ specific techniques, tactics, and procedures (TTPs) in exploiting CVE-2025-31324, and how might t... #SAPSecurity https://t.co/f62BX6pMrb

    @storagetechnews

    4 Jun 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    1 Jun 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    30 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. China-linked Earth Lamia exploits server vulnerabilities across Asia and Brazil, using SQL injection and custom backdoors like PULSEPA to target finance, government, and more. Stay alert. 🚨 #CVE-2025-31324 #EarthLamia #Brazil https://t.co/NKNJw25FJ5

    @TweetThreatNews

    30 May 2025

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. ثغرة #RCE في SAP NetWeaver CVE-2025-31324! إذا كان إصدار SAP NetWeaver 7.5X الذي تم تنشيط Visual Composer فيه يستدعي استجابة 200 OK، فاتخذ إجراءات فورية. 🔍product: sap netweaverapplicationserver 👉اطلع على

    @CriminalIP_AR

    30 May 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. SAP NetWeaver의 #RCE 취약점 CVE-2025-31324! Visual Composer가 활성화된 SAP NetWeaver 7.5X 버전이 200 OK 응답을 호출한다면 바로 조치를 취하세요. 🔍product: sap netweaverapplication server 👉#CTI 와 #ASM 을 활용한 CVE-2025-31324 대응법 자

    @CriminalIP_KR

    30 May 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    30 May 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  30. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    29 May 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  31. Vulnerabilidad de SAP VC (CVE-2025-31324) Una falla crítica en SAP NetWeaver Visual Composer (VC) que permite la ejecución remota de código sin autenticación más info: https://t.co/Pz6fhR9h2y #PorUnEcuadorCiberseguro @Arcotel_ec @CsirtCEDIA @CsirtEPN @CSIRT_Telconet https

    @EcuCERT_EC

    27 May 2025

    120 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    27 May 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50.

    @Operator7771337

    26 May 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Chaya_004 hackers linked to China exploit SAP flaw CVE-2025-31324, Forescout says, deploying custom Golang-based SuperShell tool. #CyberSecurity #SAPVulnerability #ChineseHackers https://t.co/9zfV7SOUaY

    @CyberSecTV_eu

    25 May 2025

    74 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  35. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    25 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    24 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  37. ⚠️ New threat advisory: SAP zero-days CVE-2025-31324 & CVE-2025-42999 are under active exploitation. Dave DeWalt (@nightdragon) called them among the most serious SAP threats in years. Get intel, IOCs & IR guidance → https://t.co/uTbBHPIoAI #SAPSecurity #CVE2025

    @onapsis

    23 May 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. A considerable update to our Threat Brief on CVE-2025-31324 includes new indicators that defenders can use for threat hunting. Take a look now: https://t.co/RXUuFf12tl https://t.co/R8wT93cmEU

    @Unit42_Intel

    23 May 2025

    2766 Impressions

    9 Retweets

    29 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  39. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    22 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  40. We link specific malware samples to the exploitation of CVE-2025-31324 in SAP NetWeaver and also identify associated network infrastructure, including C2 servers. Read our findings: https://t.co/RXUuFf12tl https://t.co/x2XHOo0QaD

    @Unit42_Intel

    22 May 2025

    2581 Impressions

    5 Retweets

    37 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  41. 【重要セキュリティ情報:CVE-2025-31324 NetWeaver Visual Composerの脆弱性】 緊急警報じゃ!SAP NetWeaverにCVSSスコア10.0の激ヤバ脆弱性が見つかったぞい!即刻対応が必要じゃ! 2025年4月のSAPセキュリティパッチデーで

    @saplabo_hakase

    22 May 2025

    198 Impressions

    0 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  42. #threatreport #LowCompleteness CVE-2025-31324: Simple Exploit, Serious Impact | 21-05-2025 Source: https://t.co/r1EufLl0Rb Key details below ↓ 💀Threats: Qilin_ransomware, Tsunami_botnet, Cobalt_strike, 🎯Victims: Major global enterprise 🌐Geo: Indonesia, China 🔓CV

    @rst_cloud

    22 May 2025

    125 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  43. #CyberAlerte | Vulnérabilité touchant les serveurs de SAP NetWeaver Le Centre pour la cybersécurité est au courant de l’exploitation de la vulnérabilité CVE-2025-31324 depuis le mois de mars 2025. https://t.co/mM1URbrivL

    @centrecyber_ca

    21 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  44. #CyberAlert | Vulnerabilities impacting SAP NetWeaver servers The Cyber Centre is aware of reports that CVE-2025-31324 has been actively exploited since March 2025.  https://t.co/J1dXYjh3pk

    @cybercentre_ca

    21 May 2025

    329 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  45. Vulnerabilities impacting SAP NetWeaver (CVE-2025-31324 and CVE-2025-42999) https://t.co/DNjFh87FE7 https://t.co/ft6XgGhEwV

    @djhsecurity

    21 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    21 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  47. 🚨 CVE-2025-31324 Alert: SAP NetWeaver targeted! This critical vulnerability may allow remote attackers to bypass authentication. Patch it NOW to avoid data compromise. #SAPSecurity 💼

    @peoplepulseHR

    21 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  48. Qilin ransomware exploited SAP zero-day vulnerability CVE-2025-31324 weeks before public disclosure, highlighting the need for prompt patching and robust security measures. #CyberSecurity #SAP #QilinRansomware https://t.co/iK8wpKdhSC

    @dailytechonx

    20 May 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. SAP NetWeaver RCE: Zero-Day Allows File Uploads, Qilin Ransomware Connection https://t.co/MYQQ91KTKe In a recent revelation, OP Innovate has uncovered early evidence of real-world exploitation of CVE-2025-31324 (CVSS 10), a The post SAP NetWeaver RCE: Zero-Day Allows File Upl

    @f1tym1

    20 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. A critical zero-day vulnerability in SAP software, CVE-2025-31324, has been exploited by the Qilin ransomware group weeks before its public disclosure. With a CVSS score of 10.0, this vulnerability allows unauthenticated file uploads to servers, highlighting an alarming trend ...

    @CybrPulse

    20 May 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations