CVE-2025-31324

Name of the Vulnerable Software and Affected Versions SAP NetWeaver (affected versions not specified)

Description SAP NetWeaver is affected by a critical vulnerability (CVE-2025-31324) allowing unauthenticated attackers to upload malicious files, potentially leading to remote code execution and full system compromise. This flaw resides in the Visual Composer Metadata Uploader, lacking proper authorization checks. Numerous threat actors, including China-linked APT groups and ransomware operations (Qilin, Scattered Lapsus$ Hunters), are actively exploiting this vulnerability. Exploitation has been observed globally, impacting critical infrastructure sectors like energy, government, and healthcare. Attackers are deploying webshells, malware (Auto-Color), and utilizing techniques like the deployment of Golang-based backdoors. The vulnerability has a CVSS score of 10.0, indicating its critical severity. Over 1,200 systems are reported to be vulnerable.

Recommendations Apply the latest SAP security patch (Security Note 3594142) immediately. If patching is not immediately possible, restrict access to the /developmentserver/metadatauploader endpoint and disable Visual Composer if it is not in use. Implement robust monitoring and logging to detect suspicious activity. Utilize intrusion detection and prevention systems (IDS/IPS) to identify and block exploitation attempts. Regularly scan systems for vulnerabilities and ensure timely patching.