Full Report
Executive Summary CVE-2025-31324 is a critical remote code execution (RCE) vulnerability affecting the SAP NetWeaver Development Server, one of the core components used in enterprise environments for application development and integration. The vulnerability stems from improper validation of uploaded model files via the exposed metadatauploader endpoint. By exploiting this weakness, attackers can upload malicious files—typically […] The post SAP NetWeaver Metadata Uploader Vulnerability (CVE-2025-31324) appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Vulnerability: SAP NetWeaver Metadata Uploader Unauthenticated RCE
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: 8.0 (Critical)
- CWE: Improper Control of User-Controlled Format String (Implicit, related to improper file handling leading to RCE)
## Affected Systems
- Products: SAP NetWeaver Application Server (Development Server module)
- Versions: Prior to the September 2025 patch set release.
- Configurations: Systems utilizing the exposed `/metadatauploader` endpoint.
## Vulnerability Description
This is a critical vulnerability stemming from the improper validation of uploaded model files via the `metadatauploader` endpoint on the SAP NetWeaver Development Server. Attackers can send specially crafted HTTP POST requests with the `Content-Type: application/octet-stream`, embedding malicious ZIP/JAR payloads (which begin with the ZIP header 'PK'). If these payloads contain crafted model definitions or bytecode, the server processes them as trusted content, leading directly to unauthenticated Remote Code Execution (RCE) within the context of the SAP NetWeaver server.
## Exploitation
- Status: Exploited in the wild (Active since March 2025, widely weaponized after August 2025 exploit release).
- Complexity: Low (Unauthenticated access allows execution).
- Attack Vector: Network
## Impact
- Confidentiality: High (Theft of sensitive business data and IP)
- Integrity: High (Successful code execution allows full system compromise)
- Availability: High (Disruption of critical ERP processes)
## Remediation
### Patches
- Apply SAP September 2025 security updates immediately.
### Workarounds
- Restrict access to the SAP NetWeaver Development Server to trusted networks only, preventing external exposure.
## Detection
- **Indicators of Compromise (IoCs):**
- Fileshells observed include `helper.jsp`, `cache.jsp`, and randomly named `.jsp` files.
- Linux backdoors like `Auto-Color` have been deployed.
- **Detection Methods and Tools:**
- **Network/IPS/IDS:** Monitor for POST requests to `/developmentserver/metadatauploader` containing `Content-Type: application/octet-stream` where the binary body starts with the 'PK' signature.
- **EDR/XDR:** Monitor the SAP NetWeaver process spawning unexpected child processes (e.g., `cmd.exe`, `powershell`).
## References
- SAP Security Advisory (September 2025)
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31324
- MITRE ATT&CK Framework: https://attack.mitre.org/techniques/T1190/