In today’s instalment of “Safe Tuesday”, we focus on an extremely serious security vulnerability discovered in SAP NetWeaver systems, designated CVE-2025-31324. This vulnerability, rated at the maximum CVSS score of 10.0, is currently being actively exploited by cybercriminals worldwide. SAP has already released an appropriate patch, but many systems remain unprotected.
What is the CVE-2025-31324 vulnerability?
CVE-2025-31324 concerns the Metadata Uploader component in SAP NetWeaver Visual Composer. It is a critical “Missing Authorization” vulnerability that allows unauthenticated attackers to upload arbitrary files to an SAP system.
The problem arises from the lack of proper authentication and authorisation mechanisms when accessing the /developmentserver/metadatauploader endpoint. This component, which is normally used by developers to upload metadata when building applications in Visual Composer, can be abused by attackers to upload malicious JSP files (webshells).
Consequences for organisations
The consequences of exploiting this vulnerability are extremely serious. Successful exploitation can lead to:
-
Full system compromise – the attacker gains access to the system with the privileges of the adm user, meaning practically full control over the SAP system
-
Webshell upload – enabling remote command execution in the context of the system
-
Database access – the ability to read and modify business data
-
Lateral movement – using the compromised system as a launch point for attacks against other systems in the organisation
-
Ransomware – the possibility of deploying ransomware within the corporate network
How can I check whether my system is vulnerable?
It should be stressed that not all SAP NetWeaver systems have the affected component. Visual Composer is not installed by default; however, according to SecurityBridge experts, as many as 50–70% of SAP Java systems may have this component.
Checking for the presence of the component
-
Log in to the SAP NetWeaver Application Server Java
-
Go to System Information → Components Info
-
Check whether “VISUAL COMPOSER FRAMEWORK” or “VCFRAMEWORK” appears in the list
Recognising signs of compromise
If you notice any of the following files in the locations listed below, your system may already be compromised:
-
.jsp, .java or .class files in the /usr/sap/<SID>/<Instance>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root directory
-
Similar files in the /irj/work and /irj/work/sync directories
-
Files with random 8-character names and a .jsp extension
-
Files named helper.jsp or cache.jsp in any location
Known webshell signatures:
-
helper.jsp: 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
-
cache.jsp: 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
How does an attack on this vulnerability work?
The attack mechanism is disturbingly simple. The vulnerability allows individuals without any authentication or authorisation to introduce malicious code into an SAP system. Think of it as an unsecured side entrance to a company’s building, through which any passer-by can walk straight into the management centre.
In practice, the attacker connects to the SAP system over standard internet protocols and uses the unsecured Visual Composer component to upload malicious software. The system wrongly assumes that whoever is uploading files has the appropriate authorisation, and therefore accepts them without verification.
Once such a “Trojan horse” has been installed in the system, the attacker can remotely carry out arbitrary operations, gaining access to business data, IT infrastructure and other critical company assets. All of this happens without leaving the usual traces in access-control systems, which makes the breach even harder to detect.
Particularly worrying is the fact that the attack can be carried out by anyone with access to the SAP system’s network interface – no login credentials, specialist knowledge or advanced tools are required.
How can I protect myself?
Protecting the system against this vulnerability should be treated as a top-priority task. The recommended actions are as follows:
1. Install the security patch
SAP has released an official patch under SAP Security Note 3594142. It is recommended to apply the fix as soon as possible, in accordance with SAP’s guidance.
2. Temporary measures
If immediate installation of the patch is not possible, SAP recommends implementing one of the following temporary solutions, described in SAP Note 3593336:
Option 1: Disable Visual Composer
-
Disable the Visual Composer component using filters in the system configuration
-
A Java server restart is required
Option 2: Deactivate the “developmentserver” application alias
-
Connect to the SAP NetWeaver Administrator (http(s)://<host>:<port>/nwa)
-
Navigate to: Configuration → Connectivity/Infrastructure → Java HTTP Provider Configuration → Virtual Hosts → Application Aliases
-
Remove the “Active” flag for the developmentserver alias
-
Save the changes (no restart required)
Option 3: Block access at the ICM level
-
Add a RegIForbiddenUrl ^/developmentserver(.*) - rule to the ICM rules file
-
An ICM restart is required
Option 4: Block access at the firewall level
-
Configure firewall rules to block access to the /developmentserver/ URL
-
No system restart required
Option 5: Restrict access via the DMZ
-
If the Enterprise Portal is exposed to the internet, restrict access to specific URLs only
-
Block all other URLs, including “developmentserver”
The role of SecurityBridge in securing systems
SNOK, as a SecurityBridge partner, offers comprehensive support in identifying, monitoring and securing SAP systems against vulnerabilities such as CVE-2025-31324.
SecurityBridge has already introduced detection mechanisms for this vulnerability, which enable:
-
Automatic identification of at-risk systems across the entire SAP landscape
-
Detection of attempted exploitation of the vulnerability
-
Monitoring of suspicious activity related to this vulnerability
Summary
CVE-2025-31324 represents an exceptionally serious threat to SAP NetWeaver systems equipped with the Visual Composer component. With a maximum CVSS score of 10.0 and reports of active exploitation in the wild, it requires an immediate response.
We recommend:
-
Immediately checking all SAP systems for the presence of the VCFRAMEWORK component
-
Deploying SAP Security Note 3594142 wherever possible
-
Applying one of the temporary solutions where patching is not immediately possible
-
Checking systems for signs of compromise (the presence of suspicious JSP files)
If you need support in securing your SAP systems or have questions about this vulnerability, SNOK’s experts are ready to help. Contact us for expert advice and support in protecting your critical business systems.