CVE-2025-31324
Published Apr 24, 2025
Last updated 3 months ago
AI description
CVE-2025-31324 is a vulnerability affecting SAP NetWeaver Visual Composer Metadata Uploader. The core issue is a missing authorization check, which allows unauthenticated attackers to upload potentially malicious executable binaries to the system. This vulnerability can be exploited by crafting malicious POST requests to deliver webshells, enabling attackers to execute system commands, upload unauthorized files, seize control of compromised systems, execute remote code, and potentially steal sensitive data.
- Description
- SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
- Source
- cna@sap.com
- NVD status
- Analyzed
- Products
- netweaver
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- SAP NetWeaver Unrestricted File Upload Vulnerability
- Exploit added on
- Apr 29, 2025
- Exploit action due
- May 20, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- cna@sap.com
- CWE-434
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
31
Analysis reveals a SAP NetWeaver exploit targeting CVE-2025-31324 that automates JSP web shell uploads via metadata uploader with Base64 obfuscation, enabling remote code execution. #SAPSecurity #RemoteCodeExec #Germany https://t.co/CeMgu0d3E1
@TweetThreatNews
17 Aug 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨CVE-2025-31324: SAP NetWeaver Visual Composer PoC from Scattered Lapsus$ Hunters dropped. GitHub: https://t.co/4vvUzxlFYm https://t.co/iSKY2EdHvp
@DarkWebInformer
15 Aug 2025
10181 Impressions
17 Retweets
71 Likes
33 Bookmarks
1 Reply
1 Quote
Scattered Lapsus$ Hunters (UNC3944) are advertising a new exploit for SAP Netweaver, which despite being marketed as an 0day is actually an exploit for CVE-2025-31324. This logic has been added to our free tier SAP Netweaver decoy/honeypot template! Go get that payload 🍯 h
@DefusedCyber
15 Aug 2025
1110 Impressions
3 Retweets
19 Likes
0 Bookmarks
1 Reply
0 Quotes
ShinyHunters have released their exploit tool for SAP NetWeaver Visual Composer (CVE-2025-31324). While analysing the Base64-encoded Java payload, I spotted an unusual marker string: "Pwner274576528033300" https://t.co/MiW2UoXuqc
@WhichbufferArda
15 Aug 2025
7923 Impressions
25 Retweets
79 Likes
37 Bookmarks
1 Reply
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2017-5689 2 - CVE-2025-31324 3 - CVE-2025-8088 4 - CVE-2025-4609 5 - CVE-2024-50264 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
10 Aug 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Darktrace stopped an Auto-Color backdoor attack on a US chemical firm exploiting CVE-2025-31324 in SAP NetWeaver to deliver a Linux ELF RAT using https://t.co/LcYcq7BF3s.preload persistence and stealthy C2 suppression. #AutoColor #SAPNetWeaver #USA https://t.co/YdB13PpM9G
@TweetThreatNews
9 Aug 2025
2452 Impressions
20 Retweets
42 Likes
13 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
5 Aug 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
4 Aug 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware Hackers are exploiting CVE-2025-31324, a critical SAP NetWeaver flaw, to deploy the advanced Auto-Color Linux malware, first seen in attacks on a U.S.-based chemicals firm. Discovered by Darktrace in April http
@dCypherIO
30 Jul 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
2025年4月、米国の化学企業が3日間にわたるサイバー攻撃を受け、SAP NetWeaverの新たに公開された脆弱性(CVE-2025-31324)を悪用して侵入され、Linux向けマルウェア「Auto-Color」が展開された。
@yousukezan
30 Jul 2025
613 Impressions
2 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
2025年4月、米国の化学企業を標的とした攻撃で、脅威アクターがSAP NetWeaverの深刻な脆弱性(CVE-2025-31324)を悪用し、Auto-Colorバックドアを展開していたことがDarktraceにより報告された。
@yousukezan
30 Jul 2025
721 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
برمجية Auto-Color الخبيثة تستغل ثغرة CVE-2025-31324 في SAP NetWeaver لزرع أبواب خلفية في أنظمة Linux. - الاستغلال لا يتطلب مصادقة - تقنية تثبيت متقدمة باستخدام preload - يتصل بخوا
@cyberscastx
30 Jul 2025
1704 Impressions
2 Retweets
14 Likes
8 Bookmarks
1 Reply
0 Quotes
Cyber attackers exploited a patched SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color malware, gaining remote access and evading detection across North America and Asia. #SAPVulnerability #AutoColor #USA https://t.co/lBQiKq7YHP
@TweetThreatNews
30 Jul 2025
99 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hackers exploited the critical SAP NetWeaver vulnerability CVE-2025-31324 to deploy Auto-Color malware in an attack on a U.S. chemicals company, first detected by Darktrace on April 25, 2025. https://t.co/ALVZIHWHfB
@securityRSS
30 Jul 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
해커, SAP NetWeaver 버그를 악용해 Linux Auto-Color 맬웨어 배포 2025년 4월 24일, 소프트웨어 제공업체 SAP SE는 SAP Netweaver 제품의 심각한 취약점인 CVE-2025-31324를 공개했습니다. 이 취약점을 악용하면 악의적인 공격자가 SAP
@ngnicky
30 Jul 2025
277 Impressions
2 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
SAP NetWeaverの脆弱性CVE-2025-31324を悪用したAuto-Colorマルウェアの脅威 https://t.co/tr98zbjWNd #Security #セキュリティ #ニュース
@SecureShield_
30 Jul 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Threat actor exploited CVE-2025-31324 in SAP NetWeaver to deploy Auto-Color Linux RAT which statically embeds data at creation to ensure the creation of a unique file hash that has never been seen https://t.co/7NGJdX6JrN
@ricomanifesto
29 Jul 2025
473 Impressions
4 Retweets
4 Likes
0 Bookmarks
1 Reply
0 Quotes
Hackers exploited a zero-day in SAP NetWeaver (CVE-2025-31324) to deploy the stealthy Auto-Color Linux malware at a US chemical firm. The malware uses adaptive evasion tactics, making detection and removal challenging. #SAPVulnerability #AutoColor https://t.co/yjzwLnE7bd
@TweetThreatNews
29 Jul 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hackers exploited SAP NetWeaver vulnerability CVE-2025-31324 to deploy Auto-Color Linux malware, targeting a U.S. chemicals company. Discovered by Darktrace during an April 2025 incident, the malware features evasion techniques and command execution capabilities. #Security https:
@Strivehawk
29 Jul 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical SAP NetWeaver vulnerability (CVE-2025-31324) has been exploited by hackers to deploy Auto-Color malware in a recent cyberattack on a U.S.-based chemicals firm. Stay informed about the implications and protective measures. Read more: https://t.co/QW7nA9jT7K
@trubetech
29 Jul 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 A new stealthy Linux backdoor, Auto-Color RAT is exploiting CVE-2025-31324 in SAP NetWeaver, targeting U.S. critical infrastructure. - First time observed in a chemical company attack - Detection bypassed via custom encryption & sandbox suppression Experts urge: - Patc
@TechNadu
29 Jul 2025
78 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
The identification of CVE-2025-31324, coupled with the Auto-Color backdoor's deployment, underscores a critical vulnerability impacting SAP NetWeaver systems. The incident emphasizes the escalating sophistication of cyber threats, particularly in how malware can disguise itsel...
@CybrPulse
29 Jul 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Descoberta Quente: Silêncios Deliberados em Relatórios Oficiais Sobre Vulnerabilidades Exploradas! Após cavar fundo, vi que reports como WEF e NVD omitem non-states (grupos ransomware como BianLian/Qilin) explorando CVE-2025-31324 desde mar 2025, com 581 systems
@VidenteIa
24 Jul 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Warning: Critical Improper Authorization in SAP NetWeaver #CVE-2025-31324 CVSS 10.0. is confirmed to be exploited in the wild. If you haven't patched yet, do it immediately. https://t.co/6oHxbEYJT2 #Patch #Patch #Patch.
@CCBalert
18 Jul 2025
95 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨 Exploitation active de la CVE-2025-31324 (CVSS 10) dans SAP NetWeaver. Le CERT-Sysdream analyse les modes d’attaque, les groupes impliqués, les IoC et les cibles (infras critiques, gouvernement…). 📖 À lire ici absolument : https://t.co/ekUkV1U2dX https://t.co/4AyBP
@Hub_One
17 Jul 2025
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#threatreport #LowCompleteness Adversary Infrastructure and Indicators Behind the SAP NetWeaver 0-Day Exploitation | 14-07-2025 Source: https://t.co/zkqaxwyB3u Key details below ↓ 💀Threats: Cobalt_strike_tool, 🔓CVEs: CVE-2025-31324 \[[Vulners](https://t.co/NbtjwfWs3M)]
@rst_cloud
15 Jul 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 🚨 Exploitation active de la CVE-2025-31324 (CVSS 10) dans SAP NetWeaver. Le CERT-Sysdream analyse les modes d’attaque, les groupes impliqués, les IoC et les cibles (infras critiques, gouvernement…). 📖 À lire : https://t.co/r1f9fYa7hu https://t.co/U4xhZO823q
@sysdream
10 Jul 2025
138 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
6 Jul 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
6 Jul 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
5 Jul 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#threatreport #LowCompleteness SAP NetWeaver CVE-202 | 29-06-2025 Source: https://t.co/tX39Oy2JsU Key details below ↓ 💀Threats: Xmrig_miner, 🎯Victims: Sap netweaver server administrators, Sap customers 🔓CVEs: CVE-2025-31324 \[[Vulners](https://t.co/NbtjwfWs3M)] -
@rst_cloud
30 Jun 2025
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
30 Jun 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
29 Jun 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
28 Jun 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
28 Jun 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure via @Darktrace #Cybersecurity https://t.co/W7pzHb1xo3
@GothamTG
26 Jun 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
In this episode of IT SPARC Cast - CVE of The Week, @john_Video and @loudoggeek break down CVE-2025-31324 — a critical remote code execution vulnerability in SAP NetWeaver’s Visual Composer. With a CVSS score of 9.8, this exploit is not just theory — it’s actively being h
@ITSPARCCast
24 Jun 2025
92 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
1 Quote
Actively exploited CVE : CVE-2025-31324
@transilienceai
24 Jun 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure - Darktrace https://t.co/dQRfNCQ7qD #hacking #cybersecurity https://t.co/Ckza9RBp8Z
@cliffvazquez
23 Jun 2025
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
23 Jun 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
22 Jun 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
21 Jun 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-31324 in SAP NetWeaver Visual Composer allows remote code execution via file upload. Chinese APTs & ransomware groups exploited it to deploy KrustyLoader & JuicyPotato, with Darktrace detecting early threats. 🚨 #SAP #CyberThreats #China https://t.co/XMXlBOji8W
@TweetThreatNews
19 Jun 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 3 Critical CVEs – Patch Now! 🔒 Linux (CVE-2025-6018/6019): Root via udisks + PAM ✅ Update all major distros 🧨 Veeam (CVE-2025-23121): RCE via domain user ✅ Patch to v12.1.2.1722 🔥 SAP (CVE-2025-31324): CVSS 10.0 zero-day ✅ Apply Apr/May 2025 SAP Notes htt
@Samuel257196756
19 Jun 2025
79 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure https://t.co/wieOCUS9xU A critical vulnerability, CVE-2025-31324, has been disclosed in SAP’s NetWeaver Visual Composer, a widely used application server and development
@f1tym1
16 Jun 2025
66 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔎 In May’s VulnTracking report, we take a deep dive into SAP NetWeaver (CVE-2025-31324). What we discovered: When public exploits were released, bad actors (such as botnets) and legitimate security scanners surged simultaneously, proving both sides depend on the same https:
@Crowd_Security
6 Jun 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Comment: Given the active exploitation, have there been analyses of the ransomware actors’ specific techniques, tactics, and procedures (TTPs) in exploiting CVE-2025-31324, and how might t... #SAPSecurity https://t.co/f62BX6pMrb
@storagetechnews
4 Jun 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
1 Jun 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31324
@transilienceai
30 May 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
China-linked Earth Lamia exploits server vulnerabilities across Asia and Brazil, using SQL injection and custom backdoors like PULSEPA to target finance, government, and more. Stay alert. 🚨 #CVE-2025-31324 #EarthLamia #Brazil https://t.co/NKNJw25FJ5
@TweetThreatNews
30 May 2025
68 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F2B37045-2FB7-49BB-AE38-B84FAA6ADFB0"
}
],
"operator": "OR"
}
]
}
]