CVE-2025-31324
Published Apr 24, 2025
Last updated 5 days ago
AI description
CVE-2025-31324 is a vulnerability affecting SAP NetWeaver Visual Composer Metadata Uploader. The core issue is a missing authorization check, which allows unauthenticated attackers to upload potentially malicious executable binaries to the system. This vulnerability can be exploited by crafting malicious POST requests to deliver webshells, enabling attackers to execute system commands, upload unauthorized files, seize control of compromised systems, execute remote code, and potentially steal sensitive data.
- Description
- SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
- Source
- cna@sap.com
- NVD status
- Modified
- Products
- netweaver
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- SAP NetWeaver Unrestricted File Upload Vulnerability
- Exploit added on
- Apr 29, 2025
- Exploit action due
- May 20, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- cna@sap.com
- CWE-434
- Hype score
- Not currently trending
⚠️ Active exploits target SAP NetWeaver flaws CVE-2025-31324 & CVE-2025-42999. Attackers upload web shells & abuse deserialization for RCE. Patch via SAP Notes 3594142 & 3604119, restrict /metadatauploader, and remove vulnerable components ASAP
@bountyayush
21 Oct 2025
2 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
The New SAP Backdoor: Inside the Global Campaign Using CVE-2025-31324 for Unauthenticated RCE Read the full report on - https://t.co/b6DNRkY5rf https://t.co/XPY8pdAhVP
@Iambivash007
4 Oct 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
SAP Zero Day Vulnerability CVE-2025-31324 / Security Note 3594142 https://t.co/KS56hueeJb https://t.co/VFeOuwzCLd
@LayerSeven
3 Oct 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
MMEDIATE PATCH! A critical SAP NetWeaver Zero-Day (CVE-2025-31324) is under APT ATTACK for Remote Code Execution (RCE). Your most sensitive enterprise data is at risk of nation-state espionage. Read the full report on - https://t.co/sFw9CFK6my https://t.co/3gwRWO0cc5
@Iambivash007
29 Sept 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
SAP ESPIONAGE CRISIS! China-Linked APTs are exploiting the NetWeaver RCE (CVE-2025-31324) to compromise 581+ Global Systems. Attackers are stealing core business secrets and intellectual property. Read the full report on - https://t.co/yi0WpkyMsO https://t.co/OpKoSgSoOb
@Iambivash007
29 Sept 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CRITICAL SAP ALERT! Exploitation of SAP NetWeaver is confirmed via two major flaws: CVE-2025-31324 and CVE-2025-42999. If you run SAP, your core business processes are at risk. Full Report on - https://t.co/3nuikOQQQz https://t.co/HY8CiJ0vKE
@Iambivash007
28 Sept 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
SAP NetWeaver RCE (CVE-2025-31324, CVE-2025-42999) A Critical flaws allow unauthenticated RCE & system takeover. Patched April/May 2025. Exploited since Feb 10 (Onapsis). 🛡️ Action: Patch now, monitor, restrict access. #SAP #Cybersecurity @avleonovcom https://t.co/I9AFa
@CyberWolfGuard
24 Sept 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploitation of CVE-2025-31324 (Unauthenticated upload in SAP NetWeaver) From 49.90.35.72 🇨🇳( Chinanet ) VT Detections: 0/95 🟢 https://t.co/1I4V2VBUQ4
@DefusedCyber
24 Sept 2025
780 Impressions
2 Retweets
7 Likes
1 Bookmark
1 Reply
1 Quote
SAP NETWEAVER BREACH — 581 SYSTEMS BACKDOORED China-nexus APTs (UNC5221/5174, CL-STA-0048) weaponize CVE-2025-31324 for long-term espionage targeting critical infrastructure. CORTEX Intel: https://t.co/lSSHALDmgM https://t.co/aXu1eyjLim
@the_c_protocol
22 Sept 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【先週のブログまとめ📚】 🆕 Auto-Colorとは?CVE-2025-31324を狙う最新の脅威 中小企業でも狙われやすい脆弱性と対策のポイントを解説! 🔗 https://t.co/TiqAoQ6FH6 🍂 秋のセキュリティチェックリストで備える中
@synplanning
18 Sept 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
👾 CVE-2025-31324 & CVE-2025-42999: SAP NetWeaver Visual Composer RCEs exploited in the wild; public exploits available. Patches released, but thousands of orgs may remain vulnerable. #SAP #NetWeaver #Onapsis ➡️ https://t.co/LJNuwvVSDC https://t.co/vrHq5xugQP
@leonov_av
17 Sept 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2024-7344 2 - CVE-2025-31324 3 - CVE-2024-44241 4 - CVE-2022-46689 5 - CVE-2025-31200 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
13 Sept 2025
183 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
#threatreport #MediumCompleteness SAP NetWeaver Metadata Uploader Vulnerability (CVE-2025-31324) | 10-09-2025 Source: https://t.co/6vm504rxkF Key details below ↓ 🧑💻Actors/Campaigns: Lapsus Shinyhunters 💀Threats: Auto-color, Havoc, 🎯Victims: Sap customers, Ente
@rst_cloud
11 Sept 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
"🚨 SAP users: CVE-2025-31324 allows remote code exec via metadatauploader. Active since March '25. Patch Sept '25 updates immediately. Monitor networks, restrict dev server access."
@Tudorel92659164
11 Sept 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actor mass exploiting CVE-2025-31324 (SAP Netweaver RCE) from 45.15.140.117 ( Pq Hosting Plus S.r.l. ) 🇳🇿 VirusTotal Detections: 0/94 🟢 Payload contains an obfuscated webshell 📷 https://t.co/TOcu2tDQXI
@DefusedCyber
10 Sept 2025
3148 Impressions
9 Retweets
28 Likes
13 Bookmarks
0 Replies
1 Quote
🚨 SAP NetWeaver (CVE-2025-31324) Remains an Active Threat – Patch Now ReliaQuest is investigating an increase in JSP web shell deployment alongside exploitation of the SAP NetWeaver vulnerability (CVE-2025-31324). This activity may signal a new wave of exploitation. Our te
@ReliaQuestTR
5 Sept 2025
121 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
ERP is the new single point of failure. CVE-2025-31324 just proved it. https://t.co/ewcn4GERh5
@Amitendrathenua
5 Sept 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploit für SAP-Sicherheitslücke CVE-2025-31324 veröffentlicht – Angreifer nutzen Schwachstelle aktiv aus https://t.co/eVFfIxPJdA
@KolaricDav5471
1 Sept 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
SAP NetWeaver のゼロデイ CVE-2025–31324 を悪用:高度な RCE スクリプトの詳細が公開 https://t.co/YWFp5x2dnS NetWeaver の ICM (Internet Communication Manager) コンポーネントに存在する、ゼロデイ脆弱性 CVE-2025-31324 を狙う、攻撃ス
@iototsecnews
1 Sept 2025
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 SAP Threat Alert CVE-2025-31324 & CVE-2025-42999 in SAP NetWeaver Visual Composer under active exploitation. Attackers can gain SAP admin, steal data & disrupt operations.
@huseyin_yu46083
30 Aug 2025
4 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 SAP Threat Alert CVE-2025-31324 & CVE-2025-42999 in SAP NetWeaver Visual Composer under active exploitation. Attackers can gain SAP admin, steal data & disrupt operations. 🔗 Full advisory: https://t.co/OWi56y75cJ #CyberSecurity #SAP #ThreatIntel https://t.co/goc9U
@sequretek_sqtk
29 Aug 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-31324 has been a BITCH to deal with.. IYKYK
@baube19
27 Aug 2025
114 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
Did you get a chance to check out this month's newsletter? Highlights include: ⚙️ Patch Day analysis ⚠️ A new active exploit for CVE-2025-31324 🧠 Zero Day panel insights 📈 2025 security trends Check it out on LinkedIn. ⬇️ https://t.co/IP2VdAX0H8 https://t.co/n
@onapsis
27 Aug 2025
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚩 New Exploit Chains Two Critical SAP NetWeaver Flaws for RCE https://t.co/tSmT9FfKLD A publicly released exploit combines CVE-2025-31324 and CVE-2025-42999 to achieve remote code execution with admin privileges on unpatched NetWeaver servers. The exploit enables stealthy
@Huntio
25 Aug 2025
1303 Impressions
7 Retweets
18 Likes
4 Bookmarks
0 Replies
0 Quotes
Are you up to date on the latest SAP security threats? Our monthly newsletter covers: ⚙️ Patch Day analysis ⚠️ A new active exploit for CVE-2025-31324 🧠 Zero Day panel insights 📈 2025 security trends Get the full scoop and subscribe on LinkedIn. ⬇️ https://t.c
@onapsis
21 Aug 2025
278 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Just saw that an exploit for a critical SAP vulnerability (CVE-2025-31324) was publicly released, targeting businesses worldwide. Even if you’ve patched before, now’s the time to double-check your systems, attackers move fast after exploit code goes public.
@VishnuHulikatti
21 Aug 2025
38 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🛡️ Exploit público en SAP NetWeaver permite toma total del sistema Onapsis advirtió que se liberó un exploit que encadena dos: 1. CVE-2025-31324 (falta de autorización) 2. CVE-2025-42999 (deserialización insegura) en SAP NetWeaver. SAP lanzó actualizaciones en abr
@CycuraMX
20 Aug 2025
206 Impressions
0 Retweets
3 Likes
0 Bookmarks
1 Reply
0 Quotes
#Exploit for critical #SAP Netweaver flaws released (#CVE-2025-31324, CVE-2025-42999) https://t.co/QFSRbWL2uX
@ScyScan
20 Aug 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploit for critical SAP Netweaver flaws released (CVE-2025-31324, CVE-2025-42999) https://t.co/rwKeswLCsp #HelpNetSecurity #Cybersecurity https://t.co/FbBt1NJJmY
@PoseidonTPA
20 Aug 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploit chaining CVE-2025-31324 & CVE-2025-42999 in SAP NetWeaver enables auth bypass and RCE, risking compromise and data theft. https://t.co/foCm2qJbiM #SAP #NetWeaver #exploit #auth #bypass #RCE #cve #compromised #datatheft #CyberSecurity #CybersecurityNews #threatresq
@ThreatResq
20 Aug 2025
19 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A severe exploit combining two critical vulnerabilities in SAP NetWeaver poses a significant risk for organizations, allowing unauthenticated attackers to seize control and execute arbitrary commands. With CVE-2025-31324 rated at a staggering 10.0 CVSS score, it's a clear and ...
@CybrPulse
20 Aug 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Public exploit chains SAP NetWeaver flaws CVE-2025-31324 & CVE-2025-42999, enabling remote code execution and bypassing authentication. Attacks active since March, involving ransomware & espionage groups. #SAPFlaws #RemoteCode #Germany https://t.co/GHlqVhiUTV
@TweetThreatNews
19 Aug 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ShinyHunters release exploit for critical SAP vulnerabilities CVE-2025-31324 & CVE-2025-42999. Immediate patching required to prevent system takeover. Link: https://t.co/VH44Xs4eKV #Security #Exploit #Hacking #Threat #Patch #SAP #CVE #Cyber #Tech #Attack #Breach #Data #Softwa
@dailytechonx
19 Aug 2025
79 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 SAP NetWeaver #Java Visual Composer Under Attack: #CVE-2025-31324 Exploit Spreads Wildly https://t.co/ccBAntawv2
@UndercodeNews
19 Aug 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A newly discovered critical vulnerability in SAP NetWeaver AS Java Visual Composer, CVE-2025-31324, is now actively exploited, posing severe risks to organizations that haven't patched. With public exploit tooling available, even less experienced attackers can execute remote c...
@CybrPulse
19 Aug 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
悪名高いハッキンググループShinyHuntersが、SAPの重大な脆弱性を狙った高度なエクスプロイトを公開しました。このエクスプロイトは、CVE-2025-31324などのゼロデイ脆弱性を連鎖させ、認証なしでSAPシステムにコ
@cyber_edu_jp
19 Aug 2025
79 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Yeni ortaya çıkan bir açık, SAP NetWeaver sistemlerinde ciddi güvenlik riskleri oluşturuyor. İki kritik güvenlik açığının (CVE-2025-31324 ve CVE-2025-42999) birleşimiyle oluşan bu istismar, kimlik doğrulamasını atlayarak sistemlere uzaktan kod çalıştırma imk
@et2mas
19 Aug 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
📌 استغل عيب جديد يجمع بين ثغرتين حرجة في SAP NetWeaver، مما يعرض الأنظمة غير المرقعة لخطر الاختراق وسرقة البيانات. الثغرتان CVE-2025-31324 وCVE-2025-42999 يمكنهما تجاوز مصا
@Cybercachear
19 Aug 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A new exploit chain targets SAP NetWeaver vulnerabilities CVE-2025-31324 & CVE-2025-42999, enabling remote code execution. Ransomware gangs and Chinese APTs exploited these flaws. #SAPExploits #RemoteCodeExec #ChinaAPT https://t.co/Glxb47TqDs
@TweetThreatNews
19 Aug 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical SAP NetWeaver flaw (CVE-2025-31324) is now fully weaponized, with public exploit code available and active attacks in the wild. Thanks to expert insights from @pathlock & @deepwatch_sec 🔗 Read more: https://t.co/22h22BKspS ✍ Kirsten Doyle #Vulnerability #I
@Info_Sec_Buzz
19 Aug 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A new, weaponized exploit for critical #SAP #vulnerabilities CVE-2025-31324 and CVE-2025-42999 is now public. If your systems are unpatched, they're at high risk. Act now: apply SAP security notes 3594142 and 3604119. Get the full story ➡️ https://t.co/w7XaUKhutP #cybersecu
@onapsis
18 Aug 2025
29 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
Critical SAP Vulnerability: CVE-2025-31324 Now Exploitable at Scale SAP security expert Jonathan Stross details a critical vulnerability in SAP NetWeaver Visual Composer that is actively exploited using publicly available tools. Read our full analysis: https://t.co/SHEqJt696C h
@pathlock
18 Aug 2025
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Neuer Exploit für kritische SAP-Sicherheitslücke CVE-2025-31324 veröffentlicht https://t.co/h0RiulAeHp
@KolaricDav5471
18 Aug 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2010-5139 2 - CVE-2025-53783 3 - CVE-2025-26633 4 - CVE-2025-31324 5 - CVE-2025-52970 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
17 Aug 2025
143 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Analysis reveals a SAP NetWeaver exploit targeting CVE-2025-31324 that automates JSP web shell uploads via metadata uploader with Base64 obfuscation, enabling remote code execution. #SAPSecurity #RemoteCodeExec #Germany https://t.co/CeMgu0d3E1
@TweetThreatNews
17 Aug 2025
124 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨CVE-2025-31324: SAP NetWeaver Visual Composer PoC from Scattered Lapsus$ Hunters dropped. GitHub: https://t.co/4vvUzxlFYm https://t.co/iSKY2EdHvp
@DarkWebInformer
15 Aug 2025
10181 Impressions
17 Retweets
71 Likes
33 Bookmarks
1 Reply
1 Quote
Scattered Lapsus$ Hunters (UNC3944) are advertising a new exploit for SAP Netweaver, which despite being marketed as an 0day is actually an exploit for CVE-2025-31324. This logic has been added to our free tier SAP Netweaver decoy/honeypot template! Go get that payload 🍯 h
@DefusedCyber
15 Aug 2025
1110 Impressions
3 Retweets
19 Likes
0 Bookmarks
1 Reply
0 Quotes
ShinyHunters have released their exploit tool for SAP NetWeaver Visual Composer (CVE-2025-31324). While analysing the Base64-encoded Java payload, I spotted an unusual marker string: "Pwner274576528033300" https://t.co/MiW2UoXuqc
@WhichbufferArda
15 Aug 2025
7923 Impressions
25 Retweets
79 Likes
37 Bookmarks
1 Reply
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2017-5689 2 - CVE-2025-31324 3 - CVE-2025-8088 4 - CVE-2025-4609 5 - CVE-2024-50264 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
10 Aug 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Darktrace stopped an Auto-Color backdoor attack on a US chemical firm exploiting CVE-2025-31324 in SAP NetWeaver to deliver a Linux ELF RAT using https://t.co/LcYcq7BF3s.preload persistence and stealthy C2 suppression. #AutoColor #SAPNetWeaver #USA https://t.co/YdB13PpM9G
@TweetThreatNews
9 Aug 2025
2452 Impressions
20 Retweets
42 Likes
13 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F2B37045-2FB7-49BB-AE38-B84FAA6ADFB0"
}
],
"operator": "OR"
}
]
}
]