Full Report
A maximum severity flaw affecting SAP NetWeaver has been exploited by threat actors
Analysis Summary
# Vulnerability: SAP NetWeaver Visual Composer Unauthenticated File Upload
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: 10.0 (Critical)
- CWE: CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- Products: SAP NetWeaver Visual Composer Framework
- Versions: Version 7.50
- Configurations: Affects the Metadata Uploader component.
## Vulnerability Description
The vulnerability is an unauthenticated file upload flaw within the Metadata Uploader component of the SAP NetWeaver Visual Composer Framework version 7.50. An unauthenticated attacker can exploit this flaw to upload potentially malicious executable binaries onto the host system.
## Exploitation
- Status: Exploited in the wild (Evidence of exploitation detected in customer incidents in April 2025).
- Complexity: Low (Implied by unauthenticated network access possibility, though specific steps may vary).
- Attack Vector: Network (Presumed, as it targets an unauthenticated file upload in a web-based tool).
## Impact
- Confidentiality: Severe (Potential data exposure/leakage due to binary execution).
- Integrity: Severe (Potential unauthorized modification or corruption of system files and data due to binary execution).
- Availability: Severe (Potential system downtime or denial of service due to malicious code execution).
## Remediation
### Patches
- Patches are available via an emergency security update released by SAP. Access requires valid SAP customer credentials.
### Workarounds
- **Immediate Action:** Restrict access to the affected SAP NetWeaver Visual Composer development server endpoints until patches are applied. (Note: No specific technical workaround detailed in the source beyond patching).
## Detection
- **Indicators of Compromise (IOCs):** Unauthorized file uploads, presence of executable binaries in unexpected directories related to the Visual Composer framework, and subsequent malicious activity indicative of command execution.
- **Detection Methods and Tools:** Security Monitoring tools configured to watch for suspicious file uploads to web application servers, particularly those involving executable file types, targeting the SAP NetWeaver stack.
## References
- Vendor Advisory: Access requires SAP customer login (link defanged: `accounts[.]sap[.]com/saml2/idp/sso`)
- General Information: `infosecurity-magazine[.]com/news/sap-fixes-critical-vulnerability/`