CVE-2025-31324: An Actively Exploited Flaw Affecting SAP NetWeaver Visual Composer

CVE-2025-31324 (CVSS 9.8), published on April 24th 2025, allows unauthenticated attackers to upload executable files [CWE-434] via the NetWeaver Visual Composer component which can result in Remote Code Execution (RCE). The CVE presents a high degree of risk; many publicly available proof-of-concept (PoC) exploits [1][2][3][4][5] are available, and active attack campaigns have been alerted by multiple cybersecurity organizations [6][7][8]. Although CVE-2025-31324 was initially exploited as a zero-day vulnerability (before public disclosure), the Greenbone Enterprise Feed now includes a detection test, allowing organizations to identify vulnerable instances of SAP NetWeaver in their environment to apply mitigation.

In the past, critical severity vulnerabilities in SAP NetWeaver such as CVE-2020-6287 (aka RECON), have been exploited by initial access brokers (IAB) who then sell unauthorized access to ransomware operators. Let’s further examine the circumstances of CVE-2025-31324.

What Is SAP NetWeaver?

SAP NetWeaver is categorized as a Software Framework within SAP’s suite of enterprise technologies. It serves as the foundational integration and application platform for various SAP solutions, including SAP Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Supply Chain Management (SCM) and other core business processes. SAP NetWeaver supports a range of use cases, including running the SAP ERP Central Component (ECC), developing and deploying custom applications using ABAP (SAP’s proprietary coding language) or Java, integration of business processes and databases from SAP and non-SAP systems and integration of distributed services through Web Services or Remote Function Calls (RFCs).

Although SAP NetWeaver holds only a minute fraction of the global Software Frameworks category, with around 8,471 companies utilizing the platform, these are prominent enterprises such as Accenture, Baker Hughes, Jabil, Rockwell Automation and Wolters Kluwer. 41% of SAP NetWeaver customers are based in the United States, followed by 7% in India and 6% in Germany. Competitors to SAP NetWeaver include Oracle Fusion Middleware, MuleSoft Anypoint Platform and IBM WebSphere.

SAP NetWeaver Flaws: Hot Targets for Ransomware

CVE-2020-6287 (CVSS 10), known as RECON, is another high-profile vulnerability in SAP NetWeaver disclosed in 2020 that was actively exploited by ransomware threat actors. Following the public disclosure of the RECON vulnerability in July 2020, threat actors rapidly developed and disseminated exploit tools. A PoC exploit became available within a day, and mass scanning activities commenced shortly thereafter. Reports indicate that initial access brokers first exploited RECON and then sold access to ransomware operators and espionage actors resulting in the insolvency of at least one US company.

A Technical Description of CVE-2025-31324

CVE-2025-31324 impacts the Application Layer, specifically the Java stack of SAP NetWeaver, within the Visual Composer development environment. Exploiting CVE-2025-31324 follows a typical attack pattern for unauthenticated file upload vulnerabilities [CWE-434] to gain RCE; uploading a webshell. Attackers have been observed scanning for SAP NetWeaver Java instances to identify the presence of the /developmentserver/metadatauploader URL endpoint. If found, a specially crafted POST request is used to upload malicious executable files (e.g., .jsp webshells). Once the webshell has been uploaded, attackers can access it directly via web browser and proceed to execute arbitrary commands on the victim’s system with the privileges of the <sid>adm operating system user.

This allows access to the underlying database; attackers can modify business logic and potentially pivot to other internal systems, deploy ransomware, steal or alter financial data or exfiltrate sensitive business records. Evidence from analyzed attack campaigns also indicate that attackers are using living-off-the-land techniques (using native OS functionality) to establish persistent access without requiring the uploaded webshell.

Mitigating CVE-2025-31324 in SAP NetWeaver

SAP has issued only a brief reference to CVE-2025-31324 in their April 2025 Security Patch announcement. SAP follows a standard patch cycle for releasing updates similar to Microsoft’s monthly “Patch Tuesday”. To remediate CVE-2025-31324, ensure your SAP NetWeaver system is updated to the latest support package. If the security patch cannot be applied immediately, consider temporarily disabling the Visual Composer component to prevent exploitation until the updates can be installed.

Ideally, NetWeaver instances should not be directly exposed on the public Internet. Doing so poses significant security risks, including exposure to RCE vulnerabilities, authentication bypass flaws and unauthorized data access. In efforts to support remote work, outsourced operations or cloud hosted instances, adequate security gateways should be configured such as a secured reverse proxy, VPN or WAF controls.

It’s also important to check for Indicators of Compromise (IoC) to verify that attackers have not already exploited vulnerable NetWeaver instances. Researchers have observed webshells using filenames such as helper.jsp, cache.jsp, or other randomized filenames. Other measures to detect infection include scanning systems for the presence of malware or other unexpected files, analyzing access logs for suspicious POST requests to /developmentserver/metadatauploader and checking directories such as /irj/root, /irj/work and /irj/work/sync for unauthorized .jsp, .java or .class files. Also, scan for other IoCs related to maintaining persistence relevant to your SAP server operating system (OS).

Summary

CVE-2025-31324 is a critical vulnerability in SAP NetWeaver’s Visual Composer component that allows unauthenticated RCE via arbitrary file uploads. Exploited as a zero-day, the flaw has been used in attacks that initially infect NetWeaver instances with a webshell, then progress to total system compromise including lateral movement within enterprise network environments.

Organizations using SAP NetWeaver are strongly urged to apply SAP’s emergency patch or disable the Visual Composer component and assess systems for Indicators of Compromise to identify existing compromise and recover infected systems. The Greenbone Enterprise Feed includes a detection test, allowing organizations to identify vulnerable instances of SAP NetWeaver in their environment to apply mitigation.