SAP NetWeaver Zero-day Remote Code Execution Vulnerability (CVE-2025-31324)

Posted by Author Diksha Ojha on Posted on

SAP released an out-of-band emergency update to address a remote code execution zero-day vulnerability impacting NetWeaver. Tracked as CVE-2025-31324, the vulnerability has a critical severity rating with a CVSS score of 10. Threat actors are exploiting the vulnerability to hijack servers.

SAP NetWeaver is a technology platform from SAP that enables organizations to integrate various business processes, data, and applications into a unified system. It acts as a foundation for many SAP applications, including ERP and CRM, and facilitates the integration of data from different sources into a single SAP environment.

A quick search revealed more than 45,000 publicly available targets on Fofa at the time of writing.

Vulnerability Details

The unauthenticated file upload vulnerability exists in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component. The vulnerability allows attackers to upload malicious executable files without logging in, leading to remote code execution and complete system compromise.

The vulnerability exists in the /developmentserver/metadatauploader endpoint that handles metadata files for application development and configuration in SAP applications within the NetWeaver environment. An attacker can use specially crafted POST requests to upload malicious JSP webshell files and write them to the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory. After that, these files could be executed remotely by a simple GET requests, giving attackers complete control and turning this endpoint into a launchpad for exploitation.

an attacker can send a crafted payload to the /developmentserver/metadatauploader endpoint as an HTTP POST request and execute arbitrary code.

Image Source: Qualys Threat Research Unit (TRU)


Image Source: Qualys Threat Research Unit (TRU)

Affected Versions

The vulnerability affects SAP NetWeaver Visual Composer Framework version 7.50.

Mitigation

The vendor recommends users apply the latest patch.

For more information, please refer to the SAP Security Note 3594142.

Workaround

The vendor recommends the following actions for the users unable to upgrade to the latest patch:

  1. Restrict access to the /developmentserver/metadatauploader endpoint.
  2. If Visual Composer is not in use, consider turning it off entirely.
  3. Forward logs to SIEM and scan for unauthorized files in the servlet path.

Qualys Detection

Qualys customers can scan their devices with QID 732461 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://me.sap.com/notes/3594142
https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/

Leave a Reply

Your email address will not be published. Required fields are marked *