The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.
More...
Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. More...
As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points. More...
On May 13th, a new vulnerability, CVE-2025-42999, was published. While this vulnerability requires privileged access to exploit, it takes advantage of the same core vulnerability as CVE-2025-31324. In response, SAP released a new patch for CVE-2025-42999 (available at SAP Security Note 3604119 with SAP login) that also fixes the underlying deserialization issue exploited in CVE-2025-31324.
Applying this patch protects against both vulnerabilities and should be applied even if earlier fixes, like previous mitigation steps suggested for CVE-2025-31324, were implemented in order to eliminate residual risk.
What is CVE-2025-31324?
On April 24th, 2025, SAP disclosed CVE-2025-31324, a critical missing authorization check vulnerability (CVSS 10.0) affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. This vulnerability fails to restrict file upload content, allowing unauthenticated remote attackers to achieve full remote code execution (RCE) on affected servers.
SAP Netweaver is a technology integration platform for enterprise applications. It presents a tempting target for attackers because it’s widely deployed across government agencies, giving successful attackers access to valuable information and access to attractive government networks. SAP solutions are also frequently deployed on-premises, giving users control over when and which security updates are applied.
What assets are affected by CVE-2025-31324?
CVE-2025-31324 affects SAP NetWeaver Visual Composer: VC FRAMEWORK 7.50.
Are fixes available?
A security patch was released by SAP on April 24th, 2025. Customers should apply the patch as soon as possible. However, details on this patch are only available through SAP Note #3594142, which can only be viewed by SAP customers.
CVE-2025-31324 was identified after SAP’s April 2025 security patch day, so SAP users will need to apply an additional patch to be protected from this vulnerability.
Are there any other recommended actions to take?
If patching is not possible, there are several available mitigation options:
Disable the Visual Composer feature if it is not actively used. While users may still be using this feature to create user interfaces for applications, it has been deprecated since 2015 and is no longer receiving updates.
Restrict access to the /developmentserver/metadatauploader endpoint using network or firewall rules to prevent unauthenticated uploads. The exploit’s initial POST request targets this URL. Limiting access to it can help prevent a successful attack.
Monitor for indicators of compromise. Forward logs to SIEM and check for suspicious files by checking the path “j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/”. Unauthorized files might signal malicious webshell activity or exploitation. To ensure complete mitigation and prevent continued attacker access, these files must be removed. They could remain active even after other security measures are applied.
Reliaquest also recommended performing a deep environment scan to identify and remove suspect files before applying the patch.
Is CVE-2025-31324 being actively exploited?
Reliaquest’s analysis indicates that attackers are already exploiting this vulnerability in the wild and Onapsis has also published a report claiming active exploitation. SAP has disputed this allegation.
Are there Indicators of Compromise (IoCs) for CVE-2025-31324?
Reliaquest’s original reporting contained two IoCs, which can be found here.
How is CyCognito helping customers identify assets vulnerable to CVE-2025-31324?
CyCognito has deployed multiple tests to identify this vulnerability in customer assets. Customers can also access lists of affected assets running SAP NetWeaver, to assess exposure and validate patches were successful.
Figure 1: The alert sent by CyCognito for CVE-2025-31324
How can CyCognito help your organization?
The CyCognito platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn more about how CyCognito can help you identify and remediate emerging threats to your attack surface, request a customized demo.
Emma Zaballos is an avid threat researcher who is passionate about understanding and combatting cybercrime threats. Emma enjoys monitoring dark web marketplaces, profiling ransomware gangs, and using intelligence for understanding cybercrime.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
The definitive guide to attack surface management. Learn everything you need to know to reduce your cyber security risk with attack surface management.
Attack Surface