CVE-2025-31324 pose significant risks to organisations using SAP NetWeaver Visual Composer. This critical vulnerability, with a severity rating of 10.0, highlights a serious flaw in the software’s metadata uploader, which lacks proper authorisation controls. This vulnerability allows unauthorised agents to upload potentially harmful executable binaries, putting the confidentiality, integrity, and availability of targeted systems at severe risk.
Why You Should Be Concerned?
The scale of this vulnerability is highlighted by its CVSS score of 10.0, indicating the highest level of criticality. The Exploit Prediction Scoring System (EPSS) score for this vulnerability is also notably high, signalling an increased likelihood of exploitation by threat actors. Organisations relying on SAP NetWeaver Visual Composer should prioritise addressing this vulnerability to prevent potential breaches.
Technical Overview
CVE-2025-31324 is a critical vulnerability affecting SAP NetWeaver Visual Composer, a tool designed for building enterprise applications with minimal coding. The flaw resides in the Metadata Uploader component, specifically within the /developmentserver/metadatauploader endpoint, which lacks proper authentication and authorisation checks. This oversight allows unauthenticated attackers to upload malicious files, such as JavaServer Pages (JSP) webshells, directly into the application directory. Once uploaded, these files can be executed remotely, leading to full remote code execution (RCE) on the host system.
The vulnerability has been actively exploited since April 2025. Threat actors have leveraged tools like Brute Ratel and Heaven’s Gate to execute code and evade detection post-compromise. The exploitation chain typically begins with reconnaissance, followed by the deployment of webshells for persistent access. This pattern indicates a high level of sophistication and a deep understanding of SAP systems by the attackers.
SAP NetWeaver Visual Composer has been included by default in installations since version 2004s, significantly broadening the potential attack surface. Given this widespread deployment and the critical nature of the vulnerability, organisations are urged to take immediate action. SAP has released an emergency patch addressing this issue, detailed in SAP Note 3594142. For environments where patching is not immediately feasible, SAP Note 3593336 outlines a temporary workaround.
Security professionals should prioritise the application of the provided patches and consider disabling the Visual Composer component if it is not essential to their operations. Additionally, implementing strict access controls and monitoring for unusual activity can help mitigate potential exploitation. Given the active exploitation and the critical severity of CVE-2025-31324, prompt and decisive action is essential to protect SAP environments from compromise.
EPSS and Threat Analysis
The rising EPSS (Exploit Prediction Scoring System) score underlines the critical urgency of this vulnerability, reflecting a rapidly evolving threat landscape. With remote code execution (RCE) capabilities, attackers can execute arbitrary commands on compromised systems, leading to severe consequences such as data breaches, system outages, and compromised network integrity. Moreover, the potential for living-off-the-land (LotL) attacks (where threat actors exploit legitimate system tools) introduces additional complexity and stealth to the attack vectors. Recent cyberattacks on organisations like Coop and M&S are likely linked to the exploitation of this vulnerability, emphasising its growing prevalence and risk however, this has not been publicly confirmed
Remediation Steps
To mitigate the risks associated with CVE-2025-31324, SAP and Onapsis recommend the following actions:
1. Apply Security Patches: Ensure that SAP Security Note 3604119, released on 13 May 2025, is applied to all instances of SAP NetWeaver Visual Composer. This patch addresses the core issue by enhancing the authorisation controls within the metadata uploader.
2. Review and Update IR Playbooks: Given the potential for webshell-less persistence, incident response (IR) playbooks should be updated to account for this attack vector.
3. Conduct Security Audits: Regularly audit your SAP systems for unusual activities and ensure that all security configurations are up to date.
4. Educate and Train Staff: Ensure that your IT and security teams are aware of the vulnerability and its implications, and provide training on how to recognise and respond to potential exploitation attempts.
For further details, refer to the official SAP Security Note and consult with SAP security teams as needed.