CVE-2025-31324 - [KEV] - CVSS 10.0
Overview
CVE-2025-31324 is an unrestricted file upload vulnerability in the SAP NetWeaver Visual Composer Metadata Uploader component. The flaw allows an unauthenticated remote attacker to upload arbitrary executable binaries to the affected server, enabling remote code execution on the underlying NetWeaver Application Server Java instance. The vulnerability carries a maximum CVSS score of 10.0, reflecting the combination of network attack vector, no required authentication, no user interaction, and complete compromise of confidentiality, integrity, and availability.
CISA added the CVE to the Known Exploited Vulnerabilities (KEV) catalog on 2025-04-29, and the issue is currently flagged as exhibiting widespread exploitation and known ransomware association. Despite a moderate EPSS score (0.346), real-world targeting of internet-exposed SAP systems makes this a high-priority issue for any organization running NetWeaver.
Affected Products
- SAP NetWeaver – Visual Composer Metadata Uploader component (typically reachable via the
/developmentserver/metadatauploaderendpoint on the NetWeaver AS Java stack).
Organizations should treat any externally reachable NetWeaver Java instance as in-scope until verified patched, as the Visual Composer development server is frequently deployed by default.
Exploitation Evidence
No discrete exploitation telemetry is recorded in the source database for this briefing. However, the KEV listing dated 2025-04-29 and the "widespread exploitation" maturity rating indicate that CISA and partners have confirmed in-the-wild abuse. Public reporting has consistently described the attack pattern as unauthenticated HTTP POST requests delivering JSP webshells to the metadata uploader, followed by hands-on-keyboard activity through the dropped shell.
ATT&CK Mapping
No ATT&CK techniques are pre-mapped in the source data. Based on the vulnerability mechanics, the following techniques are operationally relevant for detection engineering:
- T1190 – Exploit Public-Facing Application: Initial access via the exposed Visual Composer endpoint.
- T1505.003 – Server Software Component: Web Shell: Deployment of JSP or similar webshell artifacts post-upload.
- T1059 – Command and Scripting Interpreter: Execution of OS commands through the uploaded payload.
Threat Actor Context
No specific actor attribution is present in the supplied dataset. The ransomware-association flag indicates that one or more ransomware operations have leveraged this CVE as an access vector, consistent with the broader pattern of ransomware crews weaponizing high-impact enterprise application vulnerabilities shortly after disclosure.
Recommended Actions
- Apply SAP Security Note for CVE-2025-31324 on all NetWeaver AS Java systems immediately; SAP released an emergency patch in April 2025.
- Restrict or remove the Visual Composer Metadata Uploader endpoint (
/developmentserver/metadatauploader) if not required; block at WAF or reverse proxy. - Hunt for indicators of compromise: review the
j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/directory and similar webroot paths for unexpected JSP, class, or binary files with recent timestamps. - Inspect HTTP access logs for POST requests to the metadata uploader path, particularly from external or unusual source IPs.
- Reduce attack surface by removing NetWeaver Java instances from direct internet exposure where feasible; place behind VPN or zero-trust gateways.
- Rotate credentials and review service account activity on any system that cannot be conclusively cleared, given the ransomware association and potential for persistence.
- Engage incident response if any unexplained files, processes, or outbound connections are identified on patched-late systems; assume breach until proven otherwise for internet-exposed hosts.