CVE-2025-31324

Overview

SAP NetWeaver Visual Composer contains a critical authorization vulnerability in its Metadata Uploader component. The vulnerability allows unauthenticated attackers to upload malicious binaries due to missing access controls. This is a pre-authentication remote code execution risk affecting SAP NetWeaver installations. The vulnerability was disclosed on April 24, 2025. CISA has identified CVE-2025-31324 as being exploited and is known to be used in ransomware campaigns.

Technical details

SAP NetWeaver Visual Composer's Metadata Uploader component fails to implement proper authorization controls on file upload functionality. This allows unauthenticated remote attackers to upload arbitrary binary files to the system without any authentication or authorization checks. The vulnerability could be exploited to upload malicious executables or libraries that could lead to remote code execution with the privileges of the NetWeaver application.

The vulnerability is classified as CWE-276 (Incorrect Default Permissions) , CWE-434 (Unrestricted Upload of File with Dangerous Type) andCWE-862 (Missing Authorization) .

The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.

Impact

An unauthenticated attacker can upload malicious binary files to the SAP NetWeaver system. This can lead to remote code execution, complete system compromise, unauthorized access to sensitive data, modification or deletion of critical data, and disruption of SAP services. The vulnerability is particularly critical because it requires no authentication and can be exploited remotely with low complexity.

Mitigation and workarounds

As temporary workarounds: implement network-level access controls to restrict access to the metadata uploader endpoint. use web application firewall (waf) rules to block unauthorized upload requests.; disable the visual composer metadata uploader functionality if not in use, or restrict it to internal networks only.; implement authentication/authorization at the reverse proxy or api gateway level as an additional security layer pending official patches., and monitor file upload activity in the metadata uploader for suspicious binaries or executable files..

CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional resources

Source: This report was generated using AI

Vulnerability Management

Attack Surface Management

Cybersecurity Asset Management

AI Security Automation

Credentials Leaks Monitoring

Cloud Security

External Scanning

Internal Scanning

Attack Surface Monitoring

DAST

Website Security

Risk Based Prioritization

API Security

Emerging Threat Detection

CSPM

Compliance

Cyber Hygiene Reporting

Integrations

Compare Vullify

Qualys Alternative

Tenable Alternative

Rapid7 Alternative

Intruder Alternative

Detectify Alternative

Acunetix Alternative

Invicti Alternative

Pentest-Tools Alternative

Security

Blog

Cyber Glossary

Vulnerability Database

Customers

Help Center

Customer Stories

Developer Hub

About

Press

Partners

Careers

Contact

Book a Demo

NetWeaver vulnerability analysis and mitigation — CRITICAL (CVSS 10)

Overview

Technical details

Impact

Mitigation and workarounds

Additional resources

Related SAP_SE Vulnerabilities

Platform

Solutions

Resources

Company