CVE-2025-31324: Critical SAP NetWeaver Visual Composer Unrestricted File Upload Advisory
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
FREQUENTLY ASKED
What is CVE-2025-31324 and why does it matter?
CVE-2025-31324 is a critical unrestricted file upload vulnerability in SAP NetWeaver Visual Composer. It matters because it allows unauthenticated attackers to upload malicious executable binaries to the server. With a CVSS score of 10.0, this flaw grants total control over the host system, potentially impacting the entire organization's data integrity and operational availability.
Which versions of the product are affected?
The vulnerability specifically impacts SAP NetWeaver VCFRAMEWORK version 7.50. Organizations running this specific version of the Visual Composer Metadata Uploader are at high risk and should immediately verify their deployment versions against the vendor's documentation to ensure they are protected from unauthorized file uploads and potential remote execution.
Has a patch been released for CVE-2025-31324?
Yes, SAP has released security updates to address this vulnerability. The official patch information and technical notes can be found via SAP Note 3594142. Administrators are strongly advised to apply these fixes immediately, as exploitation is currently active and the vulnerability is being leveraged by threat actors in the wild.
What is the remediation deadline and what it means for compliance?
The remediation deadline for CVE-2025-31324 is 2025-05-20. For federal agencies and organizations following CISA BOD 22-01, this date is a mandatory compliance requirement to mitigate the risk of active exploitation. Failure to meet this deadline significantly increases the window of exposure to ransomware and other automated cyberattacks.
How to check if an instance or deployment is affected?
To determine if an instance is affected, administrators should check if SAP NetWeaver VCFRAMEWORK 7.50 is active in their environment. Specifically, verify the 'Visual Composer Metadata Uploader' component. If authorization checks are not strictly enforced on this endpoint and the patch from SAP Note 3594142 has not been applied, the system is considered vulnerable.
CVE-2025-31324 is a critical security vulnerability in the SAP NetWeaver Visual Composer Metadata Uploader, identified by a maximum CVSS score of 10.0. This flaw involves an unrestricted file upload mechanism (CWE-434) that lacks proper authorization checks, enabling unauthenticated attackers to upload and execute malicious binaries on the host system. Given its active exploitation status and the 2025-05-20 remediation deadline, immediate defensive action is required for all organizations utilizing the affected VCFRAMEWORK 7.50.
Vulnerability Profile Table
Field
Value
CVE ID
CVE-2025-31324
Affected Product & Versions
SAP NetWeaver VCFRAMEWORK 7.50
CVSS Score & Severity
10.0 (CRITICAL)
CVSS Version
3.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CWE IDs
CWE-434
Date Disclosed
2025-04-29
Remediate By
2025-05-20
SSVC Exploitation
Active
Known Ransomware Use
Yes
EPSS Score & Percentile
0.34579 (97.0%)
Patch Available
Yes
Technical Deep Dive: Unrestricted File Upload in Visual Composer
At the core of CVE-2025-31324 lies a failure in the SAP NetWeaver Visual Composer Metadata Uploader. This component is designed to facilitate the upload of metadata required for visual modeling within the SAP ecosystem. However, a critical design oversight allowed unauthenticated users to interact with the uploader without undergoing identity verification or permission checks.
Understanding CWE-434: Dangerous File Types
This vulnerability is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. In a secure implementation, an application must strictly validate the extension, content-type (MIME), and magic bytes of any uploaded file to ensure it conforms to safe expectations (e.g., XML, JPG, or CSV). In the case of CVE-2025-31324, the Metadata Uploader fails to filter out executable binaries. By uploading a malicious script or binary—such as a web shell or a compiled executable—an attacker can gain initial access to the underlying operating system.
The Attack Chain and Blast Radius
The attack chain for this vulnerability is remarkably simple, as reflected in the "LOW" attack complexity and "NONE" privileges required metrics.
Discovery: An attacker identifies an internet-facing SAP NetWeaver instance running the Visual Composer Metadata Uploader.
Payload Delivery: The attacker crafts a malicious binary (e.g., a reverse shell or ransomware dropper) and sends a POST request to the metadata upload endpoint.
Execution: Since the component lacks authorization, the file is accepted and written to a directory that is either directly executable by the web server or accessible via a secondary vulnerability that triggers execution.
Full Compromise: Once executed, the binary operates with the privileges of the SAP service user. Due to the "Scope: Changed" (S:C) metric in the CVSS vector, this indicates the attacker can move beyond the SAP application environment and impact the host operating system, potentially pivoting into the wider corporate network.
Comparatively, this vulnerability mirrors past "Zero-Day" exploits in enterprise resource planning (ERP) systems where legacy components, often overlooked in modern security audits, provide a direct path for unauthenticated Remote Code Execution (RCE).
Who Is Affected
Any organization currently operating SAP NetWeaver VCFRAMEWORK version 7.50 is within the impact zone. This version of the Visual Composer is widely used in complex enterprise environments to manage metadata for business applications.
CISA BOD 22-01 Compliance
This vulnerability has been flagged for active exploitation. Under the Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 22-01, all federal agencies—and by extension, many private sector organizations that follow CISA guidelines—are mandated to remediate this vulnerability by May 20, 2025. The high EPSS score of 0.34579 puts this CVE in the top 3% of all tracked vulnerabilities regarding the likelihood of being used in a cyberattack within the next 30 days.
Official Remediation Steps
Immediate patching is the only definitive way to mitigate CVE-2025-31324. SAP has provided the following guidance:
Access SAP Security Notes: Log in to the SAP One Support Launchpad and locate SAP Note 3594142. This note contains the specific software corrections for the Visual Composer Metadata Uploader.
Apply Software Updates: Upgrade the VCFRAMEWORK to the latest patched version as specified in the SAP Note. If you are on version 7.50, ensure the specific support package or hotfix is applied.
Verify Patch Success: Post-installation, audit the Metadata Uploader endpoint to ensure it now requires valid authentication and rejects non-metadata file types.
Consult Secondary Resources: Review detailed reporting from industry sources such as The Register and Bleeping Computer for context on observed attack patterns.
Security Best Practices for File Upload Security
To prevent similar unrestricted file upload vulnerabilities in the future, security teams should implement the following architectural safeguards:
Enforce Strict Authentication: Never allow file upload endpoints to be accessible by unauthenticated or "Guest" users. Use the Principle of Least Privilege (PoLP) to restrict upload rights to specific administrative accounts.
Implement Multi-Layered Validation: Do not rely on file extensions alone. Validate the file's Magic Bytes (hex signatures) and verify that the MIME type matches the expected file structure.
Use Non-Executable Storage: Store uploaded files on a separate volume or specialized object storage (like AWS S3) that is configured to prevent execution. Ensure the web server cannot execute scripts from the upload directory.
Filename Randomization: Rename all uploaded files upon receipt to a randomized UUID. This prevents attackers from guessing the file's path and manually triggering its execution via a URL.
Integrate Malware Scanning: Route all uploads through an automated antivirus/EDR sandbox before they are permitted to reach the final storage destination.
Monitor for Anomalous Activity: Set up alerts for unauthenticated POST requests directed at legacy NetWeaver components and monitor for the creation of unexpected .exe, .sh, or .jsp files in temporary directories.