Critical SAP Vulnerability (CVE-2025-31324) Under Active Exploitation: Immediate Action Required
A newly discovered critical vulnerability in SAP’s NetWeaver platform has set off alarms across the cybersecurity community. Tracked as CVE-2025-31324, this flaw allows attackers to completely bypass authentication controls, upload malicious files, and execute arbitrary code on vulnerable SAP servers — all without needing valid credentials. Given SAP’s foundational role in powering enterprise applications like finance, logistics, HR, and supply chain management, exploitation of this vulnerability could lead to devastating business impacts. Security firms report that attackers are actively scanning for and targeting exposed SAP systems, making immediate remediation efforts not just a recommendation, but a necessity.
Written by: Brandon Gibbons | Founder & CEO - CyberCloak Security Group, LLC
Published: April 28, 2025
Updated: April 28, 2025
-------------------------------------------------------------------------------------------------------------------------------
What's Going On?​​
A critical zero-day vulnerability in SAP NetWeaver Visual Composer is currently under active exploitation, prompting urgent warnings from cybersecurity experts worldwide. Tracked as CVE-2025-31324, the vulnerability allows unauthenticated attackers to upload arbitrary files via the Metadata Uploader component (/developmentserver/metadatauploader) without any user interaction. Once a malicious file is uploaded, attackers can execute code remotely with the privileges of the SAP Java stack, often leading to full system compromise. SAP has confirmed the issue and released an emergency patch outside their regular patch schedule (SAP Security Note #3594142).
​
The flaw has been rated with a maximum CVSS v3.1 score of 10.0, indicating critical severity. According to Tenable, exploitation attempts have been observed in the wild, with attackers rapidly targeting unpatched SAP systems. Onapsis, a security company specializing in SAP vulnerabilities, also reported evidence of widespread scanning and exploitation attempts.
​
​
How CVE-2025-31324 Works & Potential Impact​​
The underlying technical flaw stems from the way SAP NetWeaver Visual Composer’s Metadata Uploader validates incoming file uploads. Normally, such components should enforce strict authentication and authorization before allowing any upload operation. However, in CVE-2025-31324, an essential authorization check is entirely missing. As a result, any HTTP client (such as curl, Burp Suite, or a custom script) can send a POST request directly to /developmentserver/metadatauploader with a specially crafted payload containing a malicious file. The server fails to verify whether the user is authenticated or authorized and proceeds to store the uploaded file onto the SAP system’s file system.
​
Once the attacker successfully uploads a malicious file — such as a .jsp web shell — they can immediately access the file via the application server, executing arbitrary commands in the context of the SAP Java runtime. In environments where the SAP Java process runs with elevated privileges (e.g., SYSTEM on Windows or root on Unix), this can quickly escalate to full server compromise. Even if running under restricted permissions, the initial foothold can be used for further exploitation, lateral movement, or privilege escalation inside the corporate network.
​
Researchers at Ionix noted that the endpoint not only permits the upload of executable files but also fails to sanitize or validate file names, potentially allowing for directory traversal and overwriting critical files. This significantly expands the attack surface, as attackers could deploy secondary payloads or overwrite configuration files critical to SAP's functioning.
​
Affected systems include SAP NetWeaver installations where the Visual Composer (VCFRAMEWORK) component is deployed. Particularly at risk are versions earlier than SAP NetWeaver 7.5, although the vulnerability may impact a broader range of setups depending on system customization. SecurityBridge further emphasized that even SAP systems not typically exposed to the Internet could be vulnerable if internal threats exist or if external access is improperly restricted.
​
Mitigation Steps & Urgent Recommendations​​
SAP customers are strongly urged to immediately apply the patch associated with SAP Note #3594142. If patching is temporarily infeasible, organizations should disable the vulnerable Metadata Uploader service as outlined in SAP Note #3593336. Additionally, Onapsis has released a free vulnerability scanning tool that organizations can use to detect exposure to CVE-2025-31324 and other related risks.
​
Given the active exploitation, experts also recommend heightened monitoring for indicators of compromise (IoCs), including unusual upload activity to the /developmentserver/metadatauploader endpoint, anomalous POST requests without prior authentication steps, or the presence of unauthorized JSP, WAR, or class files on SAP servers. Organizations should perform thorough system audits, implement strict access controls around SAP management interfaces, and consider broader network segmentation where feasible.
​
In a broader context, CVE-2025-31324 once again underscores the importance of proactive ERP system security. "Attackers are moving quickly to exploit this zero-day vulnerability," warned Tenable’s researchers. "Organizations must prioritize patching and system hardening immediately to prevent catastrophic business impacts."
​
For SAP administrators and IT security teams, vigilance over the coming days and weeks will be critical. Failure to act promptly could leave critical business systems exposed to ransomware deployment, intellectual property theft, or operational sabotage.
​
​​
Stay sharp. Stay secure. Stay cloaked.