CISA: Real-World Attacks Exploit Vulnerability in SAP Servers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the highly dangerous vulnerability CVE-2025-31324, affecting the SAP NetWeaver platform, to its Known Exploited Vulnerabilities Catalog on April 29, 2025. This vulnerability has been actively exploited in real-world attacks since March of this year.
CVE-2025-31324 is exploited through the Metadata Uploader module in the Visual Composer component of SAP NetWeaver. It allows attackers to upload malicious files to the system without authentication (i.e., without requiring a password), leading to direct Remote Code Execution (RCE). The vulnerability is classified as CWE-434—unrestricted upload of dangerous file types.
According to experts from Onapsis, this vulnerability requires no user login or special privileges. Attackers can exploit an exposed network endpoint, developmentserver/metadatauploader, to upload malicious .jsp files, gaining covert access to the system.
Vulnerability Details
| Indicator | Details |
|---|---|
| Identifier | CVE-2025-31324 |
| Platform | SAP NetWeaver AS Java, Visual Composer component (VCFRAMEWORK 7.50) |
| Description | Unauthorized malicious file upload, leading to full system compromise via RCE |
| Vulnerable Point | /developmentserver/metadatauploader endpoint |
| Requirements | Only network access is needed; no passwords or privileges required |
| CVSS Score | 10.0—maximum severity level |
The vulnerability was first publicly disclosed by ReliaQuest on April 22, 2025. Subsequently, Onapsis confirmed through network monitoring that attacks leveraging this flaw have been ongoing since March. Attackers use files with extensions such as .jsp, .java, or .class to install a backdoor (webshell) on the server, enabling full control over the system.
Although the Visual Composer component is not enabled by default in SAP systems, it is activated in 50–70% of cases, particularly among business users specializing in no-code application development.
SAP released an emergency patch (Security Note #3594142) on April 24, 2025. Organizations unable to apply the update immediately can implement temporary mitigation measures outlined in SAP Note #3593336. SAP also provided a dedicated FAQ document to help detect signs of malicious activity on servers.
Under CISA’s BOD 22-01 directive, U.S. federal agencies are required to remediate this vulnerability by May 20, 2025. Vulnerabilities of this severity can lead to significant financial, informational, and infrastructural losses.
The SAP NetWeaver platform, particularly its AS Java version, is widely used in corporate infrastructures. Systems compromised through this vulnerability could allow attackers to access financial data, personally identifiable information, and pathways to other systems.
Cybersecurity experts urgently recommend that all organizations install the security update and enhance network monitoring. This vulnerability is not merely a potential risk but a threat actively exploited in real-world attacks.
