CVE-2025-31324

Name of the Vulnerable Software and Affected Versions SAP NetWeaver versions prior to the release of SAP Security Note 3594142.

Description SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization check, allowing unauthenticated attackers to upload potentially malicious executable binaries. This vulnerability (CVE-2025-31324) has a CVSS score of 10.0 and is actively exploited in the wild by multiple threat actors, including China-linked APT groups and ransomware operations like Qilin and Scattered Lapsus$. Exploitation allows for remote code execution and the deployment of webshells and tools like Auto-Color RAT. Over 1,200 systems have been compromised, and the vulnerability is being actively exploited in various sectors, including energy, government, healthcare, and manufacturing. Attackers are leveraging the vulnerability to gain initial access and deploy malicious payloads. The vulnerability is present in the Visual Composer Metadata Uploader component and allows for unrestricted file uploads.

Recommendations Apply SAP Security Note 3594142 immediately. If patching is not immediately possible, restrict access to the /developmentserver/metadatauploader endpoint or disable the Visual Composer component. Implement intrusion prevention and detection systems (IPS/IDS) to identify and block malicious activity. Monitor systems for anomalous behavior and ensure that SAP NetWeaver has been updated to the latest version.