Full Report
The critical vulnerability is being exploited by BianLian, RansomwEXX and a Chinese nation-state actor known as Chaya_004
Analysis Summary
# Vulnerability: Critical Unauthenticated File Upload in SAP NetWeaver Visual Composer Framework
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: 10.0 (Critical)
- CWE: (Not specified in detail, related to Unauthenticated File Upload)
## Affected Systems
- Products: SAP NetWeaver Visual Composer Framework
- Versions: 7.50
- Configurations: Instances exposed to the internet.
## Vulnerability Description
This is an unauthenticated file upload vulnerability residing within the Metadata Uploader component of SAP NetWeaver Visual Composer Framework version 7.50. Successful exploitation allows an unauthenticated remote attacker to upload and execute potentially malicious binary files on the host system, leading to severe compromise.
## Exploitation
- Status: Exploited in the wild (Reported being actively used by ransomware groups BianLian, RansomwEXX, and a Chinese nation-state actor known as Chaya\_004).
- Complexity: Low (Implied by unauthenticated access and severity).
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential for unauthorized access to sensitive data)
- Integrity: High (Potential for system modification, data tampering, or new malware deployment)
- Availability: High (Potential for denial of service or ransomware deployment)
## Remediation
### Patches
- SAP released a patch in their security advisory on April 24th (Note: Advisory access is restricted to SAP customers).
### Workarounds
- Specific workarounds were not detailed in the provided excerpt, but generally, mitigating factors involve restricting network access to the vulnerable component until patching is complete.
## Detection
- Indicators of compromise: Discovery of unexpected executable binaries uploaded to the SAP system.
- Detection methods and tools: Monitoring network traffic targeting the SAP NetWeaver systems and logs for unusual file uploads via the Visual Composer component. Shadowserver Foundation reported over 400 exposed servers, indicating broad exposure risk.
## References
- Vendor Advisory (SAP - Requires customer access)
- Infosecurity Magazine Article (Defanged): hxxps://www.infosecurity-magazine.com/news/sap-netweaver-vulnerability/