SAP published a critical vulnerability, CVE-2025-31324 with a CVSSv3 score of 10.0. The flaw is actively exploited in the wild. Successful exploitation can lead to arbitrary file uploads, leading to remote code execution (RCE) and full system compromise. Review this Cybersecurity Threat Advisory to learn how you can protect your environment from exploitation.
What is the threat?
CVE-2025-31324 is a critical zero-day vulnerability affecting the Visual Composer component of SAP NetWeaver. This vulnerability is caused by a missing authorization check in the Metadata Uploader component, specifically at the endpoint /developmentserver/metadatauploader. The flaw allows unauthenticated remote attackers to send crafted HTTP POST requests to upload arbitrary files to the SAP server without credential validation.
This vulnerability is highly dangerous because the uploaded files are not subject to security filtering or verification. As a result, an attacker can upload malicious scripts, executable web shells, or other payloads that execute within the SAP NetWeaver server context. These payloads can grant the attacker RCE on the underlying host, providing full system-level control over the SAP application environment. With this access, the attacker can manipulate SAP configurations, exfiltrate sensitive data, install backdoors, or use the compromised system as a pivot point to move laterally within the organization’s internal network.
Additionally, because the exploit requires no prior access, user interaction, or complex chaining of vulnerabilities, it is easily automatable. Threat actors can perform mass scanning across IP ranges to discover vulnerable systems, then deploy payloads at scale with minimal effort. In confirmed incidents, attackers have used this vulnerability to deploy persistent web shells, allowing them to return to compromised environments even after reboots or patching—especially if the shell was placed in overlooked directories or paired with privilege escalation techniques. This makes early detection and containment extremely challenging, further raising the threat level of CVE-2025-31324.
Why is it noteworthy?
This vulnerability is particularly noteworthy because it affects SAP NetWeaver, a core component in many business environments. The vulnerability is easily exploitable, unauthenticated, and leads directly to full system compromise. As threat actors are actively targeting exposed SAP systems to deploy web shells and establish persistent access. SAP’s delayed release of a public advisory behind a login wall has further raised concerns in the security community regarding transparency and timely risk mitigation.
What is the exposure or risk?
Organizations running vulnerable versions of SAP NetWeaver with Visual Composer exposed to internal or external networks are at high risk of exploitation. The ability for unauthenticated actors to upload and execute malicious files grants attackers full control over the underlying application server. This could lead to data theft, business disruption, financial fraud, and compliance violations, especially in industries handling regulated data. If exploited, the attacker could alter core business workflows, extract confidential records (such as HR, payroll, or financial data), and move laterally within the corporate environment, posing a significant risk to enterprise integrity and continuity.
What are the recommendations?
Barracuda strongly recommends organizations to take these additional steps to protect your SAP NetWeaver environments:
- Install the latest SAP security updates that address CVE-2025-31324. Refer to SAP’s official patch documentation via the SAP ONE Support Portal.
- Restrict access to the /developmentserver/metadatauploader endpoint via firewalls or reverse proxies if immediate update is not possible.
- Review logs for suspicious POST requests to the vulnerable endpoint and check for unauthorized file uploads or web shells.
- Deploy or update WAF rules to block attempts to interact with known vulnerable SAP endpoints.
- Ensure SAP systems are not publicly exposed and are isolated from general user access.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
