CISA Adds SAP NetWeaver Vulnerability to Known Exploited Catalog: Analysis and Mitigation

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with CVE-2025-31324, an unrestricted file upload vulnerability in SAP NetWeaver. This addition follows confirmed evidence of active exploitation in the wild, marking it as a priority for federal agencies and private sector organizations alike¹.

Executive Summary for Security Leadership

The newly listed CVE-2025-31324 affects SAP NetWeaver systems, allowing attackers to upload arbitrary files that could lead to remote code execution. Federal agencies must remediate this vulnerability by May 20, 2025, per Binding Operational Directive (BOD) 22-01 requirements². While mandatory for federal entities, CISA strongly recommends all organizations prioritize this vulnerability due to its active exploitation status.

CVE Identifier: CVE-2025-31324
Affected Product: SAP NetWeaver
Vulnerability Type: Unrestricted File Upload (Remote Code Execution)
Federal Remediation Deadline: May 20, 2025
Exploitation Status: Confirmed active attacks

Technical Analysis of CVE-2025-31324

The SAP NetWeaver vulnerability allows unauthenticated attackers to upload malicious files to vulnerable systems. This weakness stems from insufficient validation of file types and content in the application’s upload functionality. Successful exploitation could grant attackers persistent access to affected systems, with potential lateral movement across enterprise networks³.

Recent KEV Catalog additions show a pattern of high-risk vulnerabilities, with 60% of 2025 entries involving remote code execution or privilege escalation. The SAP vulnerability fits this trend, particularly targeting enterprise middleware systems that often process sensitive data⁴.

Remediation and Mitigation Strategies

For federal agencies bound by BOD 22-01, remediation must be completed by the specified deadline. SAP has released security notes addressing this vulnerability, which administrators should apply immediately⁵. Organizations should:

Action	Details
Patch Management	Apply SAP Security Note 0003321754 or later updates
Network Controls	Restrict access to SAP NetWeaver administration interfaces
Monitoring	Search for unexpected file uploads in application logs

For organizations using automated vulnerability management systems, CISA provides the KEV Catalog in machine-readable formats (CSV, JSON) that can integrate with SIEM and SOC workflows⁶.

Operational Relevance and Detection

The unrestricted file upload vulnerability presents multiple risks for enterprise environments. Attackers may use this weakness to deploy web shells, establish persistence, or exfiltrate data. Security teams should examine their SAP NetWeaver instances for signs of compromise, particularly looking for:

“Unexpected files in upload directories, particularly with executable extensions or in locations not typically accessed by normal application operation.”

Western Australia’s SOC has demonstrated effective response to similar vulnerabilities, implementing mandatory patching within two weeks of CISA’s KEV listing for comparable threats⁷. This approach serves as a model for timely response to critical vulnerabilities.

Conclusion

CVE-2025-31324 represents a clear and present danger to organizations using SAP NetWeaver, with confirmed exploitation already occurring. The vulnerability’s inclusion in the KEV Catalog underscores its severity and the need for immediate action. While federal agencies face mandatory remediation deadlines, all organizations should treat this vulnerability as high priority given its exploitation status and potential impact.

Security teams should coordinate with SAP support for specific patching guidance and monitor CISA’s KEV Catalog for updates. The agency continues to add vulnerabilities meeting its criteria, making regular review of the catalog an essential part of organizational vulnerability management programs⁸.