Emerging Threat: SAP NetWeaver Visual Composer CVE-2025-31324

What is CVE-2025-31324? 

On April 24th, 2025, SAP disclosed CVE-2025-31324, a critical missing authorization check vulnerability (CVSS 10.0) affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. This vulnerability fails to restrict file upload content, allowing unauthenticated remote attackers to achieve full remote code execution (RCE) on affected servers. 

SAP Netweaver is a technology integration platform for enterprise applications. It presents a tempting target for attackers because it’s widely deployed across government agencies, giving successful attackers access to valuable information and access to attractive government networks. SAP solutions are also frequently deployed on-premises, giving users control over when and which security updates are applied. 

What assets are affected by CVE-2025-31324? 

CVE-2025-31324 affects SAP NetWeaver Visual Composer: VC FRAMEWORK 7.50. 

Are fixes available? 

A security patch was released by SAP on April 24th, 2025. Customers should apply the patch as soon as possible. However, details on this patch are only available through SAP Note #3594142, which can only be viewed by SAP customers.  

CVE-2025-31324 was identified after SAP’s April 2025 security patch day, so SAP users will need to apply an additional patch to be protected from this vulnerability. 

Are there any other recommended actions to take? 

If patching is not possible, there are several available mitigation options:

• Disable the Visual Composer feature if it is not actively used. While users may still be using this feature to create user interfaces for applications, it has been deprecated since 2015 and is no longer receiving updates.
• Restrict access to the /developmentserver/metadatauploader endpoint using network or firewall rules to prevent unauthenticated uploads. The exploit's initial POST request targets this URL. Limiting access to it can help prevent a successful attack.
• Monitor for indicators of compromise. Forward logs to SIEM and check for suspicious files by checking the path “j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/”. Unauthorized files might signal malicious webshell activity or exploitation. To ensure complete mitigation and prevent continued attacker access, these files must be removed. They could remain active even after other security measures are applied.

Reliaquest also recommended performing a deep environment scan to identify and remove suspect files before applying the patch. 

Is CVE-2025-31324 being actively exploited? 

Reliaquest’s analysis indicates that attackers are already exploiting this vulnerability in the wild and Onapsis has also published a report claiming active exploitation. SAP has disputed this allegation.  

Are there Indicators of Compromise (IoCs) for CVE-2025-31324? 

Reliaquest’s original reporting contained two IoCs, which can be found here.  

How is CyCognito helping customers identify assets vulnerable to CVE-2025-31324? 

CyCognito has deployed multiple tests to identify this vulnerability in customer assets. Customers can also access lists of affected assets running SAP NetWeaver, to assess exposure and validate patches were successful.

Figure 1: The alert sent by CyCognito for CVE-2025-31324

How can CyCognito help your organization? 

The CyCognito platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn more about how CyCognito can help you identify and remediate emerging threats to your attack surface, request a customized demo.