CVE-2025-31324: 
SAP Visual Composer vulnerability analysis and mitigation

CVE-2025-31324 is a critical vulnerability in SAP NetWeaver Visual Composer's Metadata Uploader component, discovered in early 2025. The vulnerability allows unauthenticated attackers to upload potentially malicious executable binaries that could severely harm the host system. It affects all SAP NetWeaver 7.xx versions and service packs (SPS), with a CVSS v3.1 score of 10.0 (Critical). While Visual Composer is not installed by default, it is widely enabled across existing SAP NetWeaver Application Server Java systems (Onapsis Blog, Rapid7 Blog).

The vulnerability stems from a missing authorization check in the /developmentserver/metadatauploader endpoint, allowing unauthenticated attackers to send specially crafted POST requests to upload malicious JavaServer Pages (JSP) webshells. The vulnerability is identified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a maximum CVSS score of 10.0 due to its potential for full system compromise. The affected component operates on top of the SAP NetWeaver Portal, utilizing the portal's connector-framework interfaces to enable access to various data services (Rapid7 Blog, NVD).

Successful exploitation grants attackers unauthorized access to the underlying SAP Operating System with full privileges of the SAP service processes. This access allows complete control over SAP business data and processes, enabling attackers to modify financial records, deploy ransomware, access personally identifiable information (PII), corrupt business data, and delete or modify system logs. The vulnerability can also serve as a foothold for lateral movement within the network, potentially affecting critical business operations and regulatory compliance (Onapsis Blog).

SAP released emergency patches on April 24, 2025, to address the vulnerability. Organizations unable to apply the patches immediately should implement several mitigations: restrict access to the /developmentserver/metadatauploader endpoint, disable Visual Composer if not in use, and forward logs to SIEM for monitoring. Additionally, organizations should scan for unauthorized files in the servlet path and perform thorough environment scans to locate and remove suspicious files before applying mitigations (Bleeping Computer, Arctic Wolf).

The security community has responded actively to this vulnerability, with multiple security firms including Onapsis, ReliaQuest, and Rapid7 providing detailed analyses and guidance. The vulnerability has garnered significant attention due to its critical nature and active exploitation, particularly in manufacturing sectors. SAP initially disputed claims of successful exploitation but later acknowledged the severity of the vulnerability. The incident has highlighted the importance of prompt patching and monitoring of critical business applications (The Register, Bleeping Computer).