## Vulnerability Summary

**Name of the Vulnerable Software and Affected Versions:** SAP NetWeaver versions 7.50 and earlier

**Description:**

SAP NetWeaver is vulnerable to a critical, remotely exploitable vulnerability (CVE-2025-31324) stemming from a missing authorization check in the Visual Composer Metadata Uploader. This flaw allows unauthenticated attackers to upload malicious files, potentially leading to remote code execution and full system compromise. Numerous threat actors, including China-linked APT groups (Chaya 004, CL-STA-0048, and others) and ransomware operations (Qilin, RansomExx), are actively exploiting this vulnerability in the wild. Attackers have been observed deploying webshells and tools like Brute Ratel and Heaven’s Gate. Over 1,200 systems have been compromised, with targets spanning various sectors including energy, government, healthcare, finance, and manufacturing. The vulnerability has a CVSS score of 10.0, indicating its critical severity.

**Recommendations:**

* Apply SAP Security Note 3594142 immediately to patch the vulnerability.

* If patching is not immediately possible, restrict access to the `/developmentserver/metadatauploader` endpoint.

* If Visual Composer is not in use, disable it entirely.

* Configure logging to monitor the servlet path for unauthorized file uploads.

* Utilize threat detection tools and resources (e.g., Nuclei templates) to identify potential exploitation attempts.

* Implement network monitoring and intrusion detection systems to identify and block malicious activity.