• OPENVAS REPORT
  • Greenbone Basic
  • Buy Here
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
Greenbone
  • Products
    • Hardware Appliances
      • Greenbone Enterprise 6500
      • Greenbone Enterprise 5400
      • Greenbone Enterprise 650
      • Greenbone Enterprise 600
      • Greenbone Enterprise 450
      • Greenbone Enterprise 400
      • Greenbone Enterprise 150
      • Greenbone Enterprise 35
    • Virtual Appliances
      • Greenbone Enterprise EXA
      • Greenbone Enterprise PETA
      • Greenbone Enterprise TERA
      • Greenbone Enterprise DECA
      • Greenbone Enterprise CENO
      • Greenbone Enterprise 25V
    • OPENVAS REPORT
    • Greenbone Basic
      • Greenbone Basic: Order
    • Greenbone Cloud Service
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Greenbone Web App Scanning
    • Self-Learning Courses
    • Documents
  • Events
    • Webinars
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Cyber Attacks Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • IT Security
      • Open Source Vulnerability Management | IT Security Solutions from Greenbone
      • Attack Vector Timeline
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • Hardware Appliances
    • Virtual Appliances
    • OPENVAS REPORT
    • Greenbone Basic
      • Greenbone Basic: Order
    • Greenbone Cloud Service
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
      • Roadmap and Lifecycle
    • Buy Here
  • Service & Support
    • Technical Support
    • Greenbone Web App Scanning
    • Self-Learning Courses
    • Documents
  • Events
    • Webinars
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Cyber Attacks Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • IT Security
      • Open Source Vulnerability Management | IT Security Solutions from Greenbone
      • The Vulnerability Timeline
      • Attack Vector Timeline
  • Deutsch
  • English
  • Italiano
Joseph Lee

CVE-2025-31324: An Actively Exploited Flaw Affecting SAP NetWeaver Visual Composer

Blog

CVE-2025-31324 (CVSS 9.8), published on April 24th 2025, allows unauthenticated attackers to upload executable files [CWE-434] via the NetWeaver Visual Composer component which can result in Remote Code Execution (RCE). The CVE presents a high degree of risk; many publicly available proof-of-concept (PoC) exploits [1][2][3][4][5] are available, and active attack campaigns have been alerted by multiple cybersecurity organizations [6][7][8]. Although CVE-2025-31324 was initially exploited as a zero-day vulnerability (before public disclosure), the Greenbone Enterprise Feed now includes a detection test, allowing organizations to identify vulnerable instances of SAP NetWeaver in their environment to apply mitigation.

In the past, critical severity vulnerabilities in SAP NetWeaver such as CVE-2020-6287 (aka RECON), have been exploited by initial access brokers (IAB) who then sell unauthorized access to ransomware operators. Let’s further examine the circumstances of CVE-2025-31324.

What Is SAP NetWeaver?

SAP NetWeaver is categorized as a Software Framework within SAP’s suite of enterprise technologies. It serves as the foundational integration and application platform for various SAP solutions, including SAP Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Supply Chain Management (SCM) and other core business processes. SAP NetWeaver supports a range of use cases, including running the SAP ERP Central Component (ECC), developing and deploying custom applications using ABAP (SAP’s proprietary coding language) or Java, integration of business processes and databases from SAP and non-SAP systems and integration of distributed services through Web Services or Remote Function Calls (RFCs).

Although SAP NetWeaver holds only a minute fraction of the global Software Frameworks category, with around 8,471 companies utilizing the platform, these are prominent enterprises such as Accenture, Baker Hughes, Jabil, Rockwell Automation and Wolters Kluwer. 41% of SAP NetWeaver customers are based in the United States, followed by 7% in India and 6% in Germany. Competitors to SAP NetWeaver include Oracle Fusion Middleware, MuleSoft Anypoint Platform and IBM WebSphere.

SAP NetWeaver Flaws: Hot Targets for Ransomware

CVE-2020-6287 (CVSS 10), known as RECON, is another high-profile vulnerability in SAP NetWeaver disclosed in 2020 that was actively exploited by ransomware threat actors. Following the public disclosure of the RECON vulnerability in July 2020, threat actors rapidly developed and disseminated exploit tools. A PoC exploit became available within a day, and mass scanning activities commenced shortly thereafter. Reports indicate that initial access brokers first exploited RECON and then sold access to ransomware operators and espionage actors resulting in the insolvency of at least one US company.

A Technical Description of CVE-2025-31324

CVE-2025-31324 impacts the Application Layer, specifically the Java stack of SAP NetWeaver, within the Visual Composer development environment. Exploiting CVE-2025-31324 follows a typical attack pattern for unauthenticated file upload vulnerabilities [CWE-434] to gain RCE; uploading a webshell. Attackers have been observed scanning for SAP NetWeaver Java instances to identify the presence of the /developmentserver/metadatauploader URL endpoint. If found, a specially crafted POST request is used to upload malicious executable files (e.g., .jsp webshells). Once the webshell has been uploaded, attackers can access it directly via web browser and proceed to execute arbitrary commands on the victim’s system with the privileges of the <sid>adm operating system user.

This allows access to the underlying database; attackers can modify business logic and potentially pivot to other internal systems, deploy ransomware, steal or alter financial data or exfiltrate sensitive business records. Evidence from analyzed attack campaigns also indicate that attackers are using living-off-the-land techniques (using native OS functionality) to establish persistent access without requiring the uploaded webshell.

Mitigating CVE-2025-31324 in SAP NetWeaver

SAP has issued only a brief reference to CVE-2025-31324 in their April 2025 Security Patch announcement. SAP follows a standard patch cycle for releasing updates similar to Microsoft’s monthly “Patch Tuesday”. To remediate CVE-2025-31324, ensure your SAP NetWeaver system is updated to the latest support package. If the security patch cannot be applied immediately, consider temporarily disabling the Visual Composer component to prevent exploitation until the updates can be installed.

Ideally, NetWeaver instances should not be directly exposed on the public Internet. Doing so poses significant security risks, including exposure to RCE vulnerabilities, authentication bypass flaws and unauthorized data access. In efforts to support remote work, outsourced operations or cloud hosted instances, adequate security gateways should be configured such as a secured reverse proxy, VPN or WAF controls.

It’s also important to check for Indicators of Compromise (IoC) to verify that attackers have not already exploited vulnerable NetWeaver instances. Researchers have observed webshells using filenames such as helper.jsp, cache.jsp, or other randomized filenames. Other measures to detect infection include scanning systems for the presence of malware or other unexpected files, analyzing access logs for suspicious POST requests to /developmentserver/metadatauploader and checking directories such as /irj/root, /irj/work and /irj/work/sync for unauthorized .jsp, .java or .class files. Also, scan for other IoCs related to maintaining persistence relevant to your SAP server operating system (OS).

Summary

CVE-2025-31324 is a critical vulnerability in SAP NetWeaver’s Visual Composer component that allows unauthenticated RCE via arbitrary file uploads. Exploited as a zero-day, the flaw has been used in attacks that initially infect NetWeaver instances with a webshell, then progress to total system compromise including lateral movement within enterprise network environments.

Organizations using SAP NetWeaver are strongly urged to apply SAP’s emergency patch or disable the Visual Composer component and assess systems for Indicators of Compromise to identify existing compromise and recover infected systems. The Greenbone Enterprise Feed includes a detection test, allowing organizations to identify vulnerable instances of SAP NetWeaver in their environment to apply mitigation.

Contact Test Now Buy Here Back to Overview

Joseph Lee
Joseph Lee

Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.

He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.

Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.

LinkedIn

15. May 2025/by Joseph Lee
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://www.greenbone.net/wp-content/uploads/Gb_New-logo_horizontal_head.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/Gb_New-logo_horizontal_head.png Joseph Lee2025-05-15 11:02:352025-05-15 11:02:35CVE-2025-31324: An Actively Exploited Flaw Affecting SAP NetWeaver Visual Composer

Search

Search Search

Newsletter

Subscribe Now

Archive

  • 2025
  • 2024

Products & Solutions

  • Hardware Appliances
  • Virtual Appliances
  • OPENVAS REPORT
  • Greenbone Basic
  • Greenbone Free
  • Greenbone Cloud Service
ISO9001-EN

Service & Support

  • Technical Support
  • Greenbone Web App Scanning
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management | IT Security Solutions from Greenbone
ISO27001-EN

About us

  • About Greenbone
  • Blog
  • Newsletter
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Media Contact
  • Careers
  • Partners
  • Security Response
  • Imprint

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2025
  • Link to LinkedIn
  • Link to Mail
Link to: April 2025 Threat Report: The Consequences Are Real Link to: April 2025 Threat Report: The Consequences Are Real April 2025 Threat Report: The Consequences Are Real Link to: Availability of CVE Vulnerability Data in Greenbone Products Link to: Availability of CVE Vulnerability Data in Greenbone Products Availability of CVE Vulnerability Data in Greenbone Products
Scroll to top Scroll to top Scroll to top