SAP CVE-2025-31324 Targeted by Attackers

A recently disclosed vulnerability in SAP’s NetWeaver product is being actively exploited by attackers

Author

Newsroom
April 28, 2025

A recently disclosed vulnerability in SAP’s NetWeaver product is being actively exploited by attackers, and researchers say the exploit activity goes back as far as a month, well before the bug was disclosed. 

Why it Matters: The vulnerability is in the Visual Composer Metadata Uploader component, and it results from a missing authorization check. The component isn’t installed by default, but it is widely used, and an attacker who is able to exploit it would be able to use a malicious POST request to upload an arbitrary file. That’s typically not the behavior you’re looking for. SAP released an advisory about the vulnerability on April 24, two days after researchers at ReliaQuest published details of their investigation into exploitation activity targeting SAP NetWeaver instances. 

Key Details

  • CVE-2025-31324 is an arbitrary file upload vulnerability in the NetWeaver Visual Composer Metadata Uploader component. It affects all 7.xx versions of the product

  • The flaw has a CVSS score of 10.0, which is as high as the scale goes

  • Researchers have observed exploit activity targeting this vulnerability since at least March 27 

  • “The flaw is the result of missing authorization checks to the “/developmentserver/metadatauploader” endpoint. According to ReliaQuest, this vulnerability has been exploited in the wild as a zero-day by threat actors who have abused the flaw to upload malicious web shells to affected hosts. These webshells were used to deploy malware and establish communications with command and control (C2) servers,” ReliaQuest said.

  • Rapid7 researchers have also observed threat actors exploiting this bug, almost exclusively against companies in the manufacturing industry

SAP has released an advisory with guidance and an update to address the bug, although all of it is behind a login portal, so the guidance is not public. 

“Customers should update to the latest version of NetWeaver AS on an emergency basis, without waiting for a regular patch cycle to occur. Note that updating to a fixed version of NetWeaver will not address pre-existing compromises. Customers should also restrict access to the affected endpoint (/developmentserver/metadatauploader) and investigate their environments for signs of compromise,” Rapid7’s Caitlin Condon said.