🔴 CVE-2025-31324

Critical file upload vulnerability in SAP NetWeaver Visual Composer development server allows unauthenticated attackers to upload malicious executables for remote code execution. The vulnerability is actively exploited in the wild and listed in CISA KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
MEDIUM
Deployment Risk
Yes (+401d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-04-24

Added to CISA KEV: 2025-04-29 5 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-31324 is a critical security vulnerability affecting the SAP NetWeaver Application Server (AS) Java, specifically within the Visual Composer component (VCFRAMEWORK) [3] [4].

Vulnerability Overview
  • Nature of Flaw: The vulnerability is an unrestricted file upload issue caused by a lack of proper authorization checks in the Visual Composer Metadata Uploader [1] [6].
  • Severity: It is rated with a CVSS score of 10.0 (the highest possible severity) [4].
  • Impact: Successful exploitation allows an unauthenticated attacker to upload malicious executable binaries to the host system, potentially leading to complete system compromise, including loss of confidentiality, integrity, and availability [1] [4].
Exploitation and Threat Activity
  • Active Exploitation: The vulnerability has been confirmed as actively exploited in the wild, particularly in the United States and the European Union [4]. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog shortly after its disclosure in April 2025 [1].
  • Threat Actors: Security researchers have linked the exploitation of this vulnerability to a China-affiliated threat actor group identified as Chaya_004 [5].
  • Attack Requirements: Exploitation is network-based and does not require user interaction or authentication, making it highly dangerous [1] [4].
  • PoC Availability: Proof-of-concept (PoC) exploit code has been publicly associated with the vulnerability, including references to activity by groups like ShinyHunters [3].
Mitigation and Status
  • Status: As of June 2026, the vulnerability is well-documented, and SAP has provided patches to address the flaw [2].
  • Recommendation: Organizations running SAP NetWeaver AS Java should ensure they are on the latest security patch levels. Given the severity and the history of active exploitation, immediate patching and monitoring for unauthorized file uploads in the Visual Composer component are critical for ERP security [2].

Sources

  1. CVE-2025-31324 Detail - NVD

    SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious ... An official website of the United States government Here's how you know ... CVE-2025-31324 Detail. Description. SAP NetWeaver Visual Compos…

  2. CVE-2025-31324: A Year in Cybersecurity Insights

    One year after the disclosure of SAP NetWeaver vulnerability CVE-2025-31324, security experts say the issue remains relevant not because of a single flaw, but because of what it ... Onapsis has also published a detailed technical analysis of CVE-2025-31324, outlining the vulnerability and related th…

  3. GitHub - aristois913/CVE-2025-31324: Proof-of-Concept 0day for SAP ...

    CVE-2025-31324 Proof-of-Concept 0day for SAP NetWeaver created by ShinyHunters CVE-2025-31324 is a critical "Unrestricted File Upload" vulnerability affecting the SAP NetWeaver Application Server (AS) Java. Specifically, it resides within the Visual Composer component (VCFRAMEWORK).

  4. CVE-2025-31324: Active Exploitation of SAP Vulnerability

    CVE‑2025‑31324 is a critical SAP NetWeaver Java vulnerability in the Visual Composer component. It allows unauthenticated attackers to upload malicious files and potentially take complete control of affected SAP systems. Why is CVE‑2025‑31324 critical? Rated CVSS 10.0 (highest severity), this SAP vu…

  5. CVE-2025-31324 Vulnerability Removal Report

    Threat Database Vulnerability CVE-2025-31324 Vulnerability ... Security researchers have linked a China-affiliated threat actor, dubbed Chaya_004, to the exploitation of a critical SAP NetWeaver vulnerability identified as CVE-2025-31324. ... GOSINT : A tool used for open-source intelligence (OSINT)…

  6. CVE-2025-31324 in SAP NetWeaver enables malicious file ...

    This vulnerability allows for unrestricted file uploads into a SAP NetWeaver server. By exploiting this vulnerability, an adversary may upload ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed