Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability, tracked as CVE-2025-31324 (CVSS 10.0). Attackers are leveraging this flaw to hijack servers, deploy webshells, and execute remote code (RCE). The vulnerability affects the Visual Composer Metadata Uploader component, which fails to validate file uploads, enabling malicious JSP binaries to be uploaded. SAP released an emergency patch (SAP Note 3594142) on April 25, 2025, but 474 servers have already been compromised, according to Onyphe1.
Technical Analysis
The vulnerability stems from improper input validation in the Visual Composer Metadata Uploader endpoint (/developmentserver/metadatauploader). Attackers send a crafted HTTP POST request with a malicious JSP payload, bypassing authentication. ReliaQuest confirmed that this flaw is distinct from CVE-2017-9844, a previously patched SAP NetWeaver vulnerability2. The exploit chain involves:
POST /developmentserver/metadatauploader HTTP/1.1
Host: [target]
Content-Type: multipart/form-data
[malicious JSP payload]Attackers commonly deploy webshells like cache.jsp and use tools such as Brute Ratel for post-exploitation. Shadowserver data shows 1,284 exposed servers globally, with 62 confirmed compromises in the U.S. alone3.
Mitigation and Patch Status
SAP’s official patch (Note 3594142) must be applied immediately. For systems where patching is delayed, workarounds include disabling Visual Composer if unused and monitoring the vulnerable endpoint for unauthorized uploads. Onapsis and RedRays have released detection scripts and scanners to identify exposed instances4.
| Country | Vulnerable Servers | Compromised |
|---|---|---|
| U.S. | 149 | 62 |
| India | 50 | 18 |
Relevance to Security Teams
Red Teams should prioritize testing for this vulnerability in SAP NetWeaver environments, while Blue Teams must verify patch deployment and monitor for anomalous uploads. SOC analysts should hunt for artifacts like cache.jsp or unexpected processes spawned by javaw.exe. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities catalog, underscoring its criticality5.
Conclusion
CVE-2025-31324 poses a severe risk to organizations using SAP NetWeaver, particularly in manufacturing and government sectors. Immediate patching is non-negotiable, and unpatched systems should be isolated. Historical delays in SAP vulnerability remediation (e.g., CVE-2017-9844) suggest attackers will continue exploiting this flaw aggressively.
References
- SAP Security Note 3594142. SAP, April 2025.
- ReliaQuest Threat Spotlight. ReliaQuest, April 2025.
- “Critical Vulnerability in SAP NetWeaver”. Cybersecurity Dive, April 2025.
- CVE-2025-31324 Scanner. RedRays, April 2025.
- “Over 1,200 SAP NetWeaver Servers Vulnerable”. BleepingComputer, April 2025.
