
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting SAP NetWeaver to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the urgency of remediation due to active exploitation in the wild.
1. Vulnerability Overview
CVE-2025-31324: Unrestricted File Upload Flaw
- Description:
- This vulnerability exists in the Metadata Uploader component of SAP NetWeaver Visual Composer.
- It allows unauthenticated attackers to upload malicious executable files to vulnerable systems, leading to remote code execution (RCE).
- The flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).
- Severity:
- CVSS Score: 10.0 (Critical).
- Impact: Immediate full compromise of affected systems.
2. Affected Products
SAP NetWeaver Application Server Java
- Specifically targets the Visual Composer component (VCFRAMEWORK 7.50).
- Vulnerable endpoint:
/developmentserver/metadatauploader.
3. Exploitation Details
How It Works
- Attackers leverage the vulnerable endpoint to upload JSP webshells, providing backdoor access to compromised systems.
- Exploitation requires no authentication or special privileges, making it highly accessible to attackers.
Observed Techniques
- Threat actors have been observed using advanced post-exploitation tools, including:
- Brute Ratel for red team operations.
- Heaven’s Gate technique for bypassing security mechanisms.
- Injection of MSBuild-compiled code into system processes for stealth.
4. Impact
Potential Risks
- Remote Code Execution: Attackers gain full control over the targeted SAP system.
- Data Breach: Sensitive business data, financial records, and personally identifiable information are at risk.
- Pivoting: Exploited systems can serve as footholds for lateral movement into connected networks.
5. Mitigation Strategies
A. Apply Security Updates
SAP has released emergency patches to address CVE-2025-31324. Organizations must update their systems immediately to prevent exploitation.
B. Restrict Access
- Limit exposure of the vulnerable endpoint (
/developmentserver/metadatauploader) to trusted IP addresses. - Disable the Visual Composer component if it is not actively used.
C. Monitor for Exploitation
- Forward logs to a Security Information and Event Management (SIEM) system for analysis.
- Scan for unauthorized files in the servlet path using available tools.
6. Compliance Requirements
Federal Agencies
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by May 20, 2025.
Conclusion
The addition of CVE-2025-31324 to the KEV Catalog underscores the critical nature of this vulnerability and the importance of immediate action. Organizations using SAP NetWeaver must prioritize patching and implement robust access controls to mitigate risks.