CVE-2025-31324 – CVE-2025-31324 is an unauthenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2025-31324?

CVE-2025-31324 has a CVSS score of 10.0 (CRITICAL). CVE-2025-31324 is an unauthenticated remote code execution vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that allows attackers to upload malicious binaries and execute arbitrary code on affected systems. This affects organizations running vulnerable SAP NetWeaver installations, particularly those with internet-facing components. The vulnerability bypasses authorization checks entirely, requiring no authentication.

📋 TL;DR

CVE-2025-31324 is an unauthenticated remote code execution vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that allows attackers to upload malicious binaries and execute arbitrary code on affected systems. This affects organizations running vulnerable SAP NetWeaver installations, particularly those with internet-facing components. The vulnerability bypasses authorization checks entirely, requiring no authentication.

💻 Affected Systems

Products:

SAP NetWeaver Visual Composer

Versions: Multiple versions prior to April 2025 security patches

Operating Systems: All supported SAP NetWeaver platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with Visual Composer Metadata Uploader component enabled. The vulnerability is in the authorization mechanism itself.

📦 What is this software?

Netweaver by Sap

View all CVEs affecting Netweaver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, deploy ransomware, pivot to other systems, and cause permanent system damage.

🟠

Likely Case

Attackers upload webshells or malware to establish persistent access, exfiltrate business data, and use compromised systems for lateral movement within the network.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the affected SAP system, though data theft and service disruption remain possible.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication from the internet, making exposed systems immediate targets for attackers.

🏢 Internal Only: HIGH - Even internally, any user or compromised device on the network can exploit this without credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Actively exploited in the wild as a zero-day before patching. Attackers only need to craft HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3594142

Vendor Advisory: https://me.sap.com/notes/3594142

Restart Required: Yes

Instructions:

1. Download SAP Security Note 3594142 from SAP Support Portal. 2. Apply the patch following SAP's standard patching procedures. 3. Restart affected SAP NetWeaver systems. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Network Access Control

all

Block external access to SAP NetWeaver Visual Composer endpoints

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port port="<SAP_PORT>" protocol="tcp" reject'
netsh advfirewall firewall add rule name="Block SAP VC" dir=in action=block protocol=TCP localport=<SAP_PORT>

Disable Vulnerable Component

all

Temporarily disable Visual Composer Metadata Uploader if not required

Consult SAP documentation for component-specific disable procedures

🧯 If You Can't Patch

Implement strict network segmentation to isolate SAP systems from internet and untrusted networks
Deploy web application firewall (WAF) with rules to block suspicious upload requests to SAP endpoints

🔍 How to Verify

Check if Vulnerable:

Check if SAP Security Note 3594142 is applied in SAP system. Review system logs for unauthorized upload attempts to /sap/bc/vc/ endpoints.

Check Version:

In SAP GUI: System → Status → check installed SAP Notes

Verify Fix Applied:

Verify SAP Security Note 3594142 appears as successfully implemented in SAP system. Test that unauthenticated uploads to Visual Composer endpoints are now properly rejected.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /sap/bc/vc/* upload endpoints from unauthenticated sources
Unusual file uploads to SAP system directories
New executable files in SAP server filesystem

Network Indicators:

Unusual outbound connections from SAP servers
HTTP traffic to SAP ports from unexpected sources
Large file uploads to SAP endpoints

SIEM Query:

source="sap_logs" AND (uri_path="/sap/bc/vc/*" AND http_method="POST") AND user="anonymous"

📊 Metadata

CVE ID: CVE-2025-31324

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 34.26% exploit probability (96.9th percentile)

CISA KEV: Actively Exploited added Apr 29, 2025

Published: April 24, 2025

Last Updated: October 31, 2025

🔗 References

https://me.sap.com/notes/3594142 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Third Party Advisory
https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/ Press/Media Coverage
https://www.theregister.com/2025/04/25/sap_netweaver_patch/ Press/Media Coverage
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31324, you might also want to check these: