Full Report
CVE-2025-31324 is a critical zero-day vulnerability in the SAP NetWeaver Visual Composer component (CVSS 10.0) that enables unauthenticated remote code execution (RCE). The flaw, caused by missing authorization checks in the Metadata Uploader interface, allows attackers to upl...
Analysis Summary
# Vulnerability: SAP NetWeaver Visual Composer Unauthenticated RCE via Missing Authorization
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: 10.0 (Critical)
- CWE: Missing Authorization
## Affected Systems
- Products: SAP NetWeaver Visual Composer component
- Versions: Not explicitly detailed, but the vulnerability exists within the Metadata Uploader interface. Generally applies to affected deployments of the component.
- Configurations: Any deployment utilizing the vulnerable Metadata Uploader interface.
## Vulnerability Description
CVE-2025-31324 is a critical vulnerability stemming from **missing authorization checks** within the **Metadata Uploader interface** of SAP NetWeaver Visual Composer. This flaw allows an unauthenticated remote attacker to leverage specially crafted HTTP requests to **upload arbitrary executable files**, leading directly to Remote Code Execution (RCE).
## Exploitation
- Status: Exploited in the wild (Observed in active exploitation campaigns since early 2025)
- Complexity: Low (Unauthenticated RCE)
- Attack Vector: Network
## Impact
- Confidentiality: High (System-level access achieved)
- Integrity: High (Webshell deployment implies full control over system operations)
- Availability: High (Potential for service disruption, though initial observed impact focused on persistence and data access)
## Remediation
### Patches
- Patch information is not detailed in the provided context; organizations must consult official SAP security advisories for the definitive patch details (e.g., specific Support Package Stacks or Security Notes).
### Workarounds
- No specific temporary mitigations were detailed, but blocking uploading functionality or restricting access to the Metadata Uploader interface at the network or WAF level would serve as temporary controls until patching.
## Detection
- Observed techniques include deployment of webshells (e.g., `helper.jsp`, `cache.jsp`).
- Detection methods should focus on monitoring for unusual file uploads to system directories associated with SAP NetWeaver Visual Composer, particularly uploads containing executable code or JSP/ASP page content, and monitoring for the execution of post-exploitation tools like Brute Ratel.
- Look for successful authentication/activity using service accounts like `adm` after network ingress.
## References
- Vendor Advisories: Refer to SAP Security Notes published around April 2025.
- Relevant Links:
- hxxps://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- hxxps://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/