What is CVE-2025-31324?

A critical vulnerability in SAP NetWeaver allows unauthorized users to upload malicious files, risking system integrity. Immediate action is required to mitigate this threat.

What is the severity of CVE-2025-31324?

CVE-2025-31324 has a severity rating of CRITICAL with a CVSS base score of 10.

Is CVE-2025-31324 in CISA KEV?

Yes. CVE-2025-31324 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2025-31324 | Critical Vulnerability in SAP NetWeaver

CVE-2025-31324 is a critical vulnerability in SAP NetWeaver, specifically affecting the Visual Composer Metadata Uploader. This vulnerability allows unauthorized and unauthenticated agents to upload potentially malicious executable binaries. The severity of this vulnerability, rated with a CVSS score of 10, indicates that it poses a significant threat to the confidentiality, integrity, and availability of the affected systems.

The risk to organizations includes severe damage to critical systems, leading to operational disruptions and data breaches. Given the active exploitation of this vulnerability, organizations must prioritize remediation efforts. Urgency is critical, and immediate patching is essential to prevent any unauthorized access and potential exploitation.

This vulnerability has been confirmed to be actively exploited in the wild, with multiple proof-of-concept demonstrations available. Organizations utilizing SAP NetWeaver should assess their exposure and implement necessary mitigations as soon as possible.

Organizations should prioritize patching immediately to safeguard their systems against this critical vulnerability.

Vulnerability Details

The SAP NetWeaver Visual Composer Metadata Uploader is not adequately protected with proper authorization controls. This oversight allows an unauthenticated agent to upload executable binaries, potentially leading to malicious code execution. The vulnerability falls under the CWE-434 classification for unrestricted file uploads.

The vulnerability has a CVSS score of 10, indicating a critical severity level, primarily due to its high impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed on April 24, 2025.

Technical Analysis

The root cause of this vulnerability stems from insufficient authorization checks within the SAP NetWeaver Visual Composer. Attackers may leverage this vulnerability through a network attack vector with low complexity, requiring no privileges or user interaction. The impact on confidentiality, integrity, and availability is rated high, as attackers can execute arbitrary code, potentially resulting in data breaches or system outages.

Risk & Impact Analysis

Organizations deploying SAP NetWeaver are at significant risk due to the potential for widespread exploitation of this vulnerability. The impact could extend to critical business operations and customer data security. Given the active exploitation and high CVSS score, organizations must address this vulnerability as a top priority, implementing patches and other remediation strategies swiftly.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	Yes
Ransomware Use	Yes

Affected Versions

The vulnerability affects all versions of SAP NetWeaver prior to the vendor patch, notably version 7.50.

Mitigation & Remediation

Organizations are advised to apply the latest patches provided by SAP to remediate this vulnerability. If patches are not yet available, implementing configuration hardening and applying network controls can help mitigate risks. For further details on remediation, organizations can refer to the penetration testing service for thorough security assessment.

Detection Guidance

Monitoring for unusual log entries, unexpected file uploads, and behavioral anomalies can help detect potential exploitation attempts. Organizations should also review network traffic for signatures indicative of unauthorized file uploads.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-31324 highlights the importance of robust authorization mechanisms within web applications. This vulnerability exemplifies the potential risks associated with unrestricted file uploads, a trend that security teams must proactively address. Organizations are encouraged to review their security policies and incorporate comprehensive testing strategies.

For further insights, organizations can explore our penetration testing methodology and the vulnerability management program for effective risk management.

Finally, organizations should consider implementing red teaming exercises to better simulate and prepare for potential attack scenarios.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-31324: Critical Vulnerability in SAP NetWeaver