Webinar: Navigate the ASM Landscape with KuppingerCole’s Leadership Compass. Register now Webinar: Navigate the ASM Landscape
Back to Blog

Emerging Threat: SAP NetWeaver Visual Composer CVE-2025-31324

Emma Zaballos
Emma Zaballos Product Marketing Manager
Update May 19th 2025

On May 13th, a new vulnerability, CVE-2025-42999, was published. While this vulnerability requires privileged access to exploit, it takes advantage of the same core vulnerability as CVE-2025-31324. In response, SAP released a new patch for CVE-2025-42999 (available at SAP Security Note 3604119 with SAP login) that also fixes the underlying deserialization issue exploited in CVE-2025-31324.

Applying this patch protects against both vulnerabilities and should be applied even if earlier fixes, like previous mitigation steps suggested for CVE-2025-31324, were implemented in order to eliminate residual risk.

What is CVE-2025-31324? 

On April 24th, 2025, SAP disclosed CVE-2025-31324, a critical missing authorization check vulnerability (CVSS 10.0) affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. This vulnerability fails to restrict file upload content, allowing unauthenticated remote attackers to achieve full remote code execution (RCE) on affected servers. 

SAP Netweaver is a technology integration platform for enterprise applications. It presents a tempting target for attackers because it’s widely deployed across government agencies, giving successful attackers access to valuable information and access to attractive government networks. SAP solutions are also frequently deployed on-premises, giving users control over when and which security updates are applied. 

What assets are affected by CVE-2025-31324? 

CVE-2025-31324 affects SAP NetWeaver Visual Composer: VC FRAMEWORK 7.50. 

Are fixes available? 

A security patch was released by SAP on April 24th, 2025. Customers should apply the patch as soon as possible. However, details on this patch are only available through SAP Note #3594142, which can only be viewed by SAP customers.  

CVE-2025-31324 was identified after SAP’s April 2025 security patch day, so SAP users will need to apply an additional patch to be protected from this vulnerability. 

If patching is not possible, there are several available mitigation options:

  • Disable the Visual Composer feature if it is not actively used. While users may still be using this feature to create user interfaces for applications, it has been deprecated since 2015 and is no longer receiving updates.
  • Restrict access to the /developmentserver/metadatauploader endpoint using network or firewall rules to prevent unauthenticated uploads. The exploit's initial POST request targets this URL. Limiting access to it can help prevent a successful attack.
  • Monitor for indicators of compromise. Forward logs to SIEM and check for suspicious files by checking the path “j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/”. Unauthorized files might signal malicious webshell activity or exploitation. To ensure complete mitigation and prevent continued attacker access, these files must be removed. They could remain active even after other security measures are applied.

Reliaquest also recommended performing a deep environment scan to identify and remove suspect files before applying the patch. 

Is CVE-2025-31324 being actively exploited? 

Reliaquest’s analysis indicates that attackers are already exploiting this vulnerability in the wild and Onapsis has also published a report claiming active exploitation. SAP has disputed this allegation.  

Are there Indicators of Compromise (IoCs) for CVE-2025-31324? 

Reliaquest’s original reporting contained two IoCs, which can be found here.  

How is CyCognito helping customers identify assets vulnerable to CVE-2025-31324? 

CyCognito has deployed multiple tests to identify this vulnerability in customer assets. Customers can also access lists of affected assets running SAP NetWeaver, to assess exposure and validate patches were successful.

Figure 1: The alert sent by CyCognito for CVE-2025-31324

How can CyCognito help your organization? 

The CyCognito platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn more about how CyCognito can help you identify and remediate emerging threats to your attack surface, request a customized demo.



Subscribe to our newsletter

Subscribe now to get the latest insights delivered straight to your inbox.

Request a free scan

See Exactly What Attackers See

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally .

Request a Scan
Top Attack Paths