SAP NetWeaver Visual Composer, unauthenticated arbitrary file upload
The SAP NetWeaver Visual Composer Metadata Uploader is not protected with proper authorization, allowing an unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. The vulnerability is an unrestricted upload of a file with a dangerous type. Successful exploitation enables an attacker to compromise the confidentiality, integrity, and availability of the affected system.
Overview
CVE-2025-31324 is a critical vulnerability in the SAP NetWeaver Visual Composer Metadata Uploader, a component of the widely deployed SAP NetWeaver application server. Because the Metadata Uploader endpoint lacks proper authorization, an unauthenticated attacker can upload arbitrary, potentially malicious executable files to the host, leading to full system compromise. SAP released an emergency fix (Security Note 3594142) on April 24, 2025, the NVD publication date, and the flaw was exploited as a zero-day. CISA added it to the Known Exploited Vulnerabilities catalog on April 29, 2025. The NVD primary (NIST) assessment is CVSS 9.8, while SAP, as the CNA, rated it CVSS 10.0.
Technical Details
The vulnerability is classified as CWE-434 (unrestricted upload of file with dangerous type). The Visual Composer Metadata Uploader exposes an endpoint (commonly observed as /developmentserver/metadatauploader) that fails to enforce authorization, permitting unauthenticated requests to write attacker-supplied files, including web shells (for example JSP payloads), into a web-accessible directory. The uploaded file can then be executed by requesting it, yielding remote code execution. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Impact
- Unauthenticated upload and execution of web shells on the SAP NetWeaver host.
- Full compromise of confidentiality, integrity, and availability of the SAP system.
- Access to sensitive business data and SAP application logic.
- Lateral movement into connected SAP landscapes and the wider enterprise network.
Mitigation
- Apply SAP Security Note 3594142 to remediate CVE-2025-31324.
- Apply the related follow-up SAP Security Note 3604119 (addressing CVE-2025-42999) to fully harden Visual Composer.
- If patching must be deferred, restrict or disable access to the Visual Composer Metadata Uploader endpoint (/developmentserver/metadatauploader) and the Visual Composer component if it is not required.
- After patching, assume potential prior compromise and conduct incident response, including searching for and removing planted web shells.
Detection
Inspect SAP web server and ICM access logs for POST requests to /developmentserver/metadatauploader, especially from untrusted sources, and search the servlet/web directories for unexpected JSP or executable files. Hunt for known web shell filenames reported by responders and for anomalous child processes spawned by the SAP work processes. Monitor for unexpected outbound connections from the SAP host. CISA added CVE-2025-31324 to the Known Exploited Vulnerabilities catalog on April 29, 2025, with a remediation due date of May 20, 2025.