**Name of the Vulnerable Software and Affected Versions:**

SAP NetWeaver (affected versions not specified)

**Description:**

SAP NetWeaver is affected by a critical vulnerability (CVE-2025-31324) allowing unauthenticated remote code execution (RCE) due to a missing authorization check in the Visual Composer Metadata Uploader. Attackers can upload malicious files, including JSP webshells and Golang-based malware (like Auto-Color), leading to full system compromise. The vulnerability has been actively exploited by multiple China-linked APT groups and ransomware actors, including Qilin and Scattered Lapsus$ Hunters, impacting over 581 critical systems worldwide across sectors like energy, government, healthcare, finance, and manufacturing. Exploitation involves uploading malicious payloads via the `/developmentserver/metadatauploader` endpoint. A proof-of-concept exploit is publicly available.

Over 1,200 systems are estimated to be vulnerable. The vulnerability has a CVSS score of 10.0.

**Recommendations:**

* Apply the SAP Security Note 3594142 immediately.

* If patching is not immediately possible, restrict access to the `/developmentserver/metadatauploader` endpoint.

* If Visual Composer is not in use, disable it completely.

* Configure SIEM to monitor for suspicious activity and unauthorized file uploads to the `/developmentserver/metadatauploader` endpoint.

* Implement intrusion detection and prevention systems (IDS/IPS) to detect and block exploitation attempts.

* Utilize threat intelligence feeds and tools to identify indicators of compromise (IOCs) associated with this vulnerability.

* Consider using the Nuclei template for detection.

* Ensure systems are updated with the latest security patches.