Critical Zero-Day Vulnerability in SAP NetWeaver

CVE-2025-31324 could allow unauthenticated file uploads, potentially leading to RCE

Threat ID:: CC-4649
Threat Severity:: Medium
Published:: 28 April 2025 2:21 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2025-31324 could allow unauthenticated file uploads, potentially leading to RCE

Affected platforms

The following platforms are known to be affected:

SAP NetWeaver Visual Composer

Affects Visual Composer Framework version 7.50

Note: If SAP's April patch has been applied, the device is still vulnerable to CVE-2025-31324 until the patch detailed below is applied.

Threat details

Exploitation of CVE-2025-31324

Multiple sources are reporting active exploitation of CVE-2025-31324 in the wild. The NHS England National Cyber Security Operations Centre (CSOC) assesses further exploitation as highly likely.

Introduction

SAP has released an out-of-band security update to address a critical zero-day vulnerability in NetWeaver Visual Composer. SAP NetWeaver Visual Composer is a web-based software modelling tool.

CVE-2025-31324 has a CVSSv3 score of 10.0 and if exploited could allow an unauthenticated attacker to upload files. An attacker could upload malicious executable files, potentially leading to remote code execution (RCE).

Remediation advice

Affected organisations are encouraged to review the SAP Security Note 3594142 and apply the relevant updates as soon as practicable.

Definitive source of threat updates

https://me.sap.com/notes/3594142

CVE Vulnerabilities

Status Published

CVE-2025-31324

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Last edited: 28 April 2025 2:22 pm