Safeguard.sh
Vulnerability Analysis

SAP NetWeaver CVE-2025-31324: Unrestricted File Upload Zero-Day

A critical file upload vulnerability in SAP NetWeaver Visual Composer was exploited to deploy web shells on enterprise SAP systems. The flaw required no authentication and scored 10.0 on CVSS.

Michael
Malware Analyst
5 min read

On April 24, 2025, SAP released an emergency out-of-band patch for CVE-2025-31324, a maximum-severity (CVSS 10.0) unrestricted file upload vulnerability in SAP NetWeaver Visual Composer. The vulnerability was actively exploited in the wild, with attackers uploading JSP web shells to gain persistent remote access to SAP systems.

ReliaQuest discovered the exploitation during incident response engagements and reported it to SAP. The attacks targeted the Visual Composer development server component, which is available on many SAP NetWeaver Application Server Java installations.

The Vulnerability

CVE-2025-31324 affected the Metadata Uploader component of SAP NetWeaver Visual Composer. The endpoint /developmentserver/metadatauploader lacked authentication controls and did not properly validate uploaded file types.

An unauthenticated attacker could send a specially crafted HTTP POST request to this endpoint to upload arbitrary files to the SAP server. By uploading a JSP web shell (a Java Server Pages file containing backdoor code), the attacker gained the ability to execute arbitrary commands on the server through the web shell.

The exploitation was straightforward:

  1. Send an HTTP POST to /developmentserver/metadatauploader with a JSP web shell as the payload.
  2. The server saves the file to a web-accessible directory without authentication or file type validation.
  3. Access the uploaded web shell via its URL to execute commands.

The simplicity of the exploit, combined with the lack of authentication, made this one of the most critical SAP vulnerabilities in recent years.

Real-World Exploitation

ReliaQuest observed multiple instances of exploitation across different organizations. The attack pattern was consistent:

Initial access: Exploitation of CVE-2025-31324 to upload JSP web shells. Common web shell filenames included helper.jsp, cache.jsp, and randomized names.

Post-exploitation: Attackers used the web shells to execute reconnaissance commands, enumerate the SAP system and underlying operating system, and deploy additional tools.

Payload delivery: In some cases, the Brute Ratel post-exploitation framework was deployed through the web shell, along with the Heaven's Gate technique for evading endpoint detection. This level of sophistication suggested well-resourced threat actors rather than opportunistic attackers.

Data targeting: SAP systems contain an organization's most sensitive business data -- financial records, customer data, supply chain information, human resources data. The attackers appeared focused on data access and exfiltration.

SAP as a Target

SAP systems are the operational backbone of many of the world's largest organizations. SAP estimates that 77% of the world's transaction revenue touches an SAP system. A compromise of SAP infrastructure gives attackers access to:

  • Financial transactions and accounting data
  • Customer and vendor master data
  • Supply chain and procurement information
  • Human resources and payroll data
  • Manufacturing and production data

Despite the sensitivity of the data they handle, SAP systems have historically received less security attention than other internet-facing infrastructure. Security teams often treat SAP as the "Basis team's problem," and SAP administration teams often treat security as the "security team's problem." The result is that SAP security falls through organizational cracks.

CVE-2025-31324 also highlighted the risk of development and debugging components that remain enabled in production environments. Visual Composer's development server is a design-time tool that should not be active in production deployments. Yet many organizations deploy SAP systems with default configurations that leave these components enabled.

Affected Systems

The vulnerability affected SAP NetWeaver Application Server Java systems with the Visual Composer component installed. Visual Composer (component VC70RUNTIME and VCFRAMEWORK) is not installed by default on all NetWeaver systems, but it is included in many standard SAP deployment configurations.

SAP identified the specific affected component as VCFRAMEWORK version 7.50. Organizations needed to check whether the Visual Composer development server was accessible on their SAP installations by testing the /developmentserver/metadatauploader URL.

Remediation

SAP's remediation guidance included:

  1. Apply the emergency patch (SAP Security Note 3594142) immediately.
  2. If patching is not immediately possible, disable the Visual Composer development server by restricting access to the /developmentserver URL path through SAP's web dispatcher or an external web application firewall.
  3. Scan for web shells in the SAP server's web application directories. Look for recently created JSP files, particularly in directories that should not contain user-uploaded content.
  4. Review access logs for requests to /developmentserver/metadatauploader from external IP addresses.
  5. If compromise is confirmed, conduct a full incident response investigation, including analysis of what data the attacker may have accessed.

Broader SAP Security Recommendations

CVE-2025-31324 reinforced long-standing SAP security best practices that many organizations have not implemented:

Disable unnecessary components. Development tools like Visual Composer should not be active in production environments. Audit your SAP landscape for components that are installed but not required.

Apply SAP Security Notes promptly. SAP releases monthly security patches (Patch Tuesday equivalent) plus emergency out-of-band patches for critical issues. Many organizations lag months or years behind on SAP patching due to the complexity of SAP update processes.

Implement SAP-specific security monitoring. Generic network and endpoint security tools often have limited visibility into SAP application-layer activity. Consider SAP-specific security solutions for monitoring, threat detection, and vulnerability management.

Segment SAP systems. SAP servers should be in dedicated network segments with strict access controls. The management and development interfaces should never be accessible from the internet.

How Safeguard.sh Helps

Safeguard.sh provides vulnerability tracking that extends to enterprise application platforms like SAP NetWeaver. By maintaining an accurate inventory of your SAP landscape -- including component versions and configuration details -- Safeguard enables rapid assessment of exposure when critical vulnerabilities are disclosed.

When CVE-2025-31324 was published, organizations using Safeguard could immediately identify which SAP systems had the Visual Composer component installed and prioritize patching accordingly. Safeguard's policy gates can enforce SAP patching timelines and flag systems with unnecessary components enabled, reducing the attack surface before the next zero-day.

sapcve-2025-31324zero-dayenterprise-security
Back to all articles

Related articles in Vulnerability Analysis

Vulnerability Analysis

CVE-2024-4367 PDF.js Arbitrary Code Execution

CVE-2024-4367 is a PDF.js code-execution flaw via font handling that affects Firefox, Thunderbird, and every embedder. Root cause and remediation.

March 14, 2026Read
Vulnerability Analysis

CVE-2025-24071 Windows Explorer NTLM Hash Leak

A .library-ms file extracted from a zip archive can leak NTLM hashes without the user opening anything. Breakdown of CVE-2025-24071 and the defensive response.

March 12, 2026Read
Vulnerability Analysis

CVE-2024-29849 Veeam Auth Bypass Analysis

CVE-2024-29849 is a CVSS 9.8 auth bypass in Veeam Backup Enterprise Manager. Root cause, exploitation, detection, and patching guidance.

March 10, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.