Sap · Sap Netweaver Visual Composer · CVE-2025-31324
**Name of the Vulnerable Software and Affected Versions**
SAP NetWeaver versions prior to September 2025
**Description**
A critical remote code execution issue exists in the SAP NetWeaver Development Server, specifically within the Visual Composer tool's Metadata Uploader function. The flaw is caused by inadequate authorization and insufficient validation of model files uploaded via the 'metadatauploader' endpoint, as well as deficiencies in the deserialization mechanism. This allows unauthenticated remote attackers to upload malicious executable binaries, often packaged as ZIP or JAR files with an `application/octet-stream` content type, which the server erroneously processes as safe. Once processed, this can lead to full system compromise, affecting confidentiality, integrity, and availability.
Real-world exploitation has been observed since March 2025, with increased activity following an exploit release in August 2025. Attackers, including China-nexus APTs and groups like Lapsus and Shinyhunters, have targeted government, retail, telco, and financial sectors, including a U.S.-based chemicals company. Exploitation chains have involved the deployment of web shells such as 'helper.jsp' and 'cache.jsp', and the installation of a Linux backdoor named Auto-Color to maintain persistence, execute reverse shells, and steal data.
**Recommendations**
Apply SAP security updates released in September 2025.
Deploy intrusion prevention and detection systems (IPS/IDS) to identify POST requests to the 'metadatauploader' endpoint containing `application/octet-stream` indications and binary payloads.
Use endpoint detection and response (EDR) solutions to monitor for anomalous SAP process behaviors, such as unexpected command line executions.
Restrict exposure of development servers to trusted networks.