Exploited! SAP NetWeaver Visual Composer Unauthenticated File-Upload Vulnerability (CVE-2025-31324) 

SAP has released an out-of-band patch for a critical unrestricted file-upload flaw, CVE-2025-31324, in the NetWeaver Visual Composer “Metadata Uploader.” A missing authorization check allows unauthenticated attackers to upload arbitrary files (e.g., JSP, WAR) and instantly execute code on the SAP Java stack. If left unpatched, the weakness can expose sensitive ERP data and disrupt core business workflows across finance, HR, and manufacturing systems. 

What is CVE-2025-31324 SAP NetWeaver Visual Composer Vulnerability? 

CVE-2025-31324 is a CVSS 3.1 10.0 (Critical) unrestricted file-upload flaw in the Metadata Uploader of SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50). 
A missing authorization check on the endpoint /developmentserver/metadatauploader allows an unauthenticated remote attacker to upload arbitrary files (JSP, WAR, JAR, or executables) to the application server’s filesystem. Successful uploads can be invoked directly, granting instant remote-code execution (RCE) with SAP Java stack privileges — often adm level.  

Although Visual Composer is shipped as an add-on, it is widely enabled because business users rely on it to create workflows without code. Systems that expose the Visual Composer development server to the internet (directly or via reverse proxy) are at the highest risk.  

Exploiting the Vulnerability 

1. Blind file upload 

Attackers issue a simple POST request targeting the vulnerable servlet: 

POST /developmentserver/metadatauploader HTTP/1.1 

Host: sap-victim.example.com 

Content-Type: multipart/form-data; boundary=----ionix 

Content-Length: 14800 

------ionix 

Content-Disposition: form-data; name="file"; filename="shell.jsp" 

Content-Type: application/octet-stream 

<%-- JSP reverse shell / Brute Ratel loader --%> 

... 

------ionix--

Because the servlet performs no authentication or MIME validation, the payload is written into /usr/sap/<SID>/JC<nr>/j2ee/cluster/server0/apps/sap.com/visual_comp/servlet_jsp/myapp/root/ (exact path varies).  

2. Code execution 

The attacker triggers the uploaded file: 

https://sap-victim.example.com/visual_comp/myapp/shell.jsp

Common post-exploitation actions: 

• Deploying a JSP web shell for persistent command execution 

• Dropping Brute Ratel or Cobalt Strike beacons to pivot inside the corporate network 

• Creating rogue Java EE applications to survive patching cycles  

• Because NetWeaver runs with high privileges and often sits close to ERP data, lateral movement to SAP ABAP stacks or connected databases is trivial. 

Potential Risks 

• Complete system takeover – arbitrary code runs as the SAP Java instance owner, enabling full read/write access to SAP and OS resources. 

• Data theft – export of HR, financial, or intellectual-property data stored in connected SAP back-ends. 

• Business process manipulation – attackers can tamper with purchasing, payroll, or production workflows executed through NetWeaver. 

• Supply-chain compromise – compromised SAP servers are attractive to initial-access brokers selling entry into large enterprises or government agencies. 

• Compliance violations & downtime – breaches of SOX, GDPR, and similar regulations; potential halt of critical operations.  

Mitigation Steps 

1. Apply SAP Security Note #3594142 immediately 

• Out-of-band patches released 24 April 2025 supersede the regular April Patch Day bundle.  

2. Restrict access to the development server 

• Block external traffic to /developmentserver/* in your WAF / reverse proxy. 

• Remove the Visual Composer add-on if it is not in active use. 

3. Validate uploads 

• Implement strict MIME-type and file-extension controls on any remaining upload endpoints. 

4. Hard-enroll NetWeaver in CTEM 

• Use the IONIX Exposure Management Platform to discover exposed SAP endpoints, continuously validate exploitability, and prioritize remediation. 

5. Detect historic compromise 

• Search for unexpected files in visual_comp/ directories. 

• Review SAP logs for POST /metadatauploader requests without SSO tickets. 

• Hunt for outgoing TLS sessions from the Java process to known C2 infrastructure. 

6. Segment and monitor 

• Isolate SAP servers from desktop networks. 

• Enable EDR/XDR rules for Java process anomalies. 

Does CVE-2025-31324 impact me? 

IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the threat center of the IONIX portal. 

IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal. 

References 

• NVD – CVE-2025-31324 (CVE-2025-31324 Detail – NVD) 

• SAP Security Note #3594142 (SAP Security Patch Day – April 2025 – SAP Support Portal) 

• Tenable Blog – Zero-Day in SAP NetWeaver exploited in the wild (CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver …) 

• Onapsis Research – Active exploitation analysis (Active Exploitation of SAP CVE-2025-31324 Zero-Day | Onapsis) 

• The Hacker News – Attackers dropping Brute Ratel via CVE-2025-31324 (New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell, Brute Ratel Framework) 

• Cybersecurity Dive – Critical vulnerability under active exploitation (Critical vulnerability in SAP NetWeaver under threat of active …)