CVE-2025-31324 - Overview, Insights & Trends

CVE-2025-31324

Published Apr 24, 2025

Last updated a month ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-31324 is a vulnerability affecting SAP NetWeaver Visual Composer Metadata Uploader. The core issue is a missing authorization check, which allows unauthenticated attackers to upload potentially malicious executable binaries to the system. This vulnerability can be exploited by crafting malicious POST requests to deliver webshells, enabling attackers to execute system commands, upload unauthorized files, seize control of compromised systems, execute remote code, and potentially steal sensitive data.

Description
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Source
cna@sap.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
SAP NetWeaver Unrestricted File Upload Vulnerability
Exploit added on
Apr 29, 2025
Exploit action due
May 20, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

cna@sap.com
CWE-434

Social media

Hype score
Not currently trending
  1. 🔎 In May’s VulnTracking report, we take a deep dive into SAP NetWeaver (CVE-2025-31324). What we discovered: When public exploits were released, bad actors (such as botnets) and legitimate security scanners surged simultaneously, proving both sides depend on the same https:

    @Crowd_Security

    6 Jun 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Comment: Given the active exploitation, have there been analyses of the ransomware actors’ specific techniques, tactics, and procedures (TTPs) in exploiting CVE-2025-31324, and how might t... #SAPSecurity https://t.co/f62BX6pMrb

    @storagetechnews

    4 Jun 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    1 Jun 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    30 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. China-linked Earth Lamia exploits server vulnerabilities across Asia and Brazil, using SQL injection and custom backdoors like PULSEPA to target finance, government, and more. Stay alert. 🚨 #CVE-2025-31324 #EarthLamia #Brazil https://t.co/NKNJw25FJ5

    @TweetThreatNews

    30 May 2025

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ثغرة #RCE في SAP NetWeaver CVE-2025-31324! إذا كان إصدار SAP NetWeaver 7.5X الذي تم تنشيط Visual Composer فيه يستدعي استجابة 200 OK، فاتخذ إجراءات فورية. 🔍product: sap netweaverapplicationserver 👉اطلع على

    @CriminalIP_AR

    30 May 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. SAP NetWeaver의 #RCE 취약점 CVE-2025-31324! Visual Composer가 활성화된 SAP NetWeaver 7.5X 버전이 200 OK 응답을 호출한다면 바로 조치를 취하세요. 🔍product: sap netweaverapplication server 👉#CTI 와 #ASM 을 활용한 CVE-2025-31324 대응법 자

    @CriminalIP_KR

    30 May 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    30 May 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    29 May 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Vulnerabilidad de SAP VC (CVE-2025-31324) Una falla crítica en SAP NetWeaver Visual Composer (VC) que permite la ejecución remota de código sin autenticación más info: https://t.co/Pz6fhR9h2y #PorUnEcuadorCiberseguro @Arcotel_ec @CsirtCEDIA @CsirtEPN @CSIRT_Telconet https

    @EcuCERT_EC

    27 May 2025

    120 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    27 May 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50.

    @Operator7771337

    26 May 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Chaya_004 hackers linked to China exploit SAP flaw CVE-2025-31324, Forescout says, deploying custom Golang-based SuperShell tool. #CyberSecurity #SAPVulnerability #ChineseHackers https://t.co/9zfV7SOUaY

    @CyberSecTV_eu

    25 May 2025

    74 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    25 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  15. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    24 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. ⚠️ New threat advisory: SAP zero-days CVE-2025-31324 & CVE-2025-42999 are under active exploitation. Dave DeWalt (@nightdragon) called them among the most serious SAP threats in years. Get intel, IOCs & IR guidance → https://t.co/uTbBHPIoAI #SAPSecurity #CVE2025

    @onapsis

    23 May 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. A considerable update to our Threat Brief on CVE-2025-31324 includes new indicators that defenders can use for threat hunting. Take a look now: https://t.co/RXUuFf12tl https://t.co/R8wT93cmEU

    @Unit42_Intel

    23 May 2025

    2766 Impressions

    9 Retweets

    29 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  18. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    22 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  19. We link specific malware samples to the exploitation of CVE-2025-31324 in SAP NetWeaver and also identify associated network infrastructure, including C2 servers. Read our findings: https://t.co/RXUuFf12tl https://t.co/x2XHOo0QaD

    @Unit42_Intel

    22 May 2025

    2581 Impressions

    5 Retweets

    37 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  20. 【重要セキュリティ情報:CVE-2025-31324 NetWeaver Visual Composerの脆弱性】 緊急警報じゃ!SAP NetWeaverにCVSSスコア10.0の激ヤバ脆弱性が見つかったぞい!即刻対応が必要じゃ! 2025年4月のSAPセキュリティパッチデーで

    @saplabo_hakase

    22 May 2025

    198 Impressions

    0 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  21. #threatreport #LowCompleteness CVE-2025-31324: Simple Exploit, Serious Impact | 21-05-2025 Source: https://t.co/r1EufLl0Rb Key details below ↓ 💀Threats: Qilin_ransomware, Tsunami_botnet, Cobalt_strike, 🎯Victims: Major global enterprise 🌐Geo: Indonesia, China 🔓CV

    @rst_cloud

    22 May 2025

    125 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. #CyberAlerte | Vulnérabilité touchant les serveurs de SAP NetWeaver Le Centre pour la cybersécurité est au courant de l’exploitation de la vulnérabilité CVE-2025-31324 depuis le mois de mars 2025. https://t.co/mM1URbrivL

    @centrecyber_ca

    21 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  23. #CyberAlert | Vulnerabilities impacting SAP NetWeaver servers The Cyber Centre is aware of reports that CVE-2025-31324 has been actively exploited since March 2025.  https://t.co/J1dXYjh3pk

    @cybercentre_ca

    21 May 2025

    329 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  24. Vulnerabilities impacting SAP NetWeaver (CVE-2025-31324 and CVE-2025-42999) https://t.co/DNjFh87FE7 https://t.co/ft6XgGhEwV

    @djhsecurity

    21 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    21 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. 🚨 CVE-2025-31324 Alert: SAP NetWeaver targeted! This critical vulnerability may allow remote attackers to bypass authentication. Patch it NOW to avoid data compromise. #SAPSecurity 💼

    @peoplepulseHR

    21 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. Qilin ransomware exploited SAP zero-day vulnerability CVE-2025-31324 weeks before public disclosure, highlighting the need for prompt patching and robust security measures. #CyberSecurity #SAP #QilinRansomware https://t.co/iK8wpKdhSC

    @dailytechonx

    20 May 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. SAP NetWeaver RCE: Zero-Day Allows File Uploads, Qilin Ransomware Connection https://t.co/MYQQ91KTKe In a recent revelation, OP Innovate has uncovered early evidence of real-world exploitation of CVE-2025-31324 (CVSS 10), a The post SAP NetWeaver RCE: Zero-Day Allows File Upl

    @f1tym1

    20 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. A critical zero-day vulnerability in SAP software, CVE-2025-31324, has been exploited by the Qilin ransomware group weeks before its public disclosure. With a CVSS score of 10.0, this vulnerability allows unauthenticated file uploads to servers, highlighting an alarming trend ...

    @CybrPulse

    20 May 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  30. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    20 May 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  31. 🚨"Qilin" Ransom group exploits SAP Zero-Day Vulnerability Weeks Ahead of Public Disclosure Researchers at OP Innovate uncovered that CVE-2025-31324, a critical SAP NetWeaver Visual Composer zero-day (CVSS 10.0), was exploited by the Qilin RaaS group three weeks before public

    @Ransom_DB

    20 May 2025

    168 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  32. Chinese-linked APT groups (UNC5221, UNC5174, CL-STA-0048) exploited CVE-2025-31324 in SAP NetWeaver Visual Composer to gain persistent remote access to critical infrastructure worldwide. Stealthy webshells & malware used. 🌍🔒 #China #SAPVulnerability https://t.co/DVDiaKK

    @TweetThreatNews

    20 May 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. La principal amenaza se centra en dos vulnerabilidades criticas en los sistemas SAP: CVE-2025-31324 y CVE-2025-42999. https://t.co/lNbXfTukiq #alertasdeciberseguridad #Ataquesciberneticos #BarracudaNetworks #Ciberseguridad #Firewall #SAP https://t.co/BBh316TicY

    @Cobra_Networks

    19 May 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. ''China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide'' #infosec #pentest #redteam #blueteam https://t.co/ms7APzDzqs

    @CyberWarship

    19 May 2025

    1612 Impressions

    7 Retweets

    13 Likes

    3 Bookmarks

    1 Reply

    0 Quotes

  35. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    19 May 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. SAP NetWeaver の脆弱性 CVE-2025-31324:第二波の攻撃を観測 https://t.co/2dXXXm7pum 先月末に報じられたばかりの SAP NetWeaver の脆弱性 CVE-2025-31324 ですが、早くも第二波の攻撃が観測されたとのことです。該当の SAP NetWeaver

    @iototsecnews

    19 May 2025

    106 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    19 May 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  38. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    18 May 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  39. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    17 May 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  40. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    17 May 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  41. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    16 May 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure https://t.co/vOB6W38mtS https://t.co/Qec9bWone5

    @secharvesterx

    15 May 2025

    59 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. Ransomware su SAP NetWeaver: sfruttato il CVE-2025-31324 per l’esecuzione remota di codice 📌 Link all'articolo : https://t.co/8p79rP5cVD #redhotcyber #hacking #cti #ai #online #it #cybercrime #cybersecurity #technology #news #cyberthreatintelligence #innovation #privacy ht

    @redhotcyber

    15 May 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. 中国のAPTグループがSAP NetWeaverのゼロデイ脆弱性(CVE-2025-31324)を悪用し、世界中の重要インフラを標的に攻撃を展開。少なくとも581のSAPインスタンスが侵害され、Webシェルやマルウェアが展開された。SAPは緊

    @01ra66it

    15 May 2025

    340 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  45. Actively exploited CVE : CVE-2025-31324

    @transilienceai

    15 May 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  46. A recently disclosed critical security flaw (CVE-2025-31324) impacting the #SAP #NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. #Cybersecurity #infosec #cybercrime https://t.co/0d0wEfi7V9 https://t.co/CDjoV8NLR

    @twelvesec

    14 May 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 🚨 Chinese hackers are using a fresh bug in SAP’s NetWeaver software (CVE-2025-31324) to slip into factories, utilities and other critical sites around the world. If your company runs SAP, install the patch or take servers offline right now. #CyberSecurity

    @unitv_network

    14 May 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  48. Chinese APT groups exploit SAP NetWeaver 0-day (CVE-2025-31324) to target critical infrastructures worldwide. Organizations must patch systems and enhance security measures. #CyberSecurity #SAP #APT https://t.co/BT1HjBXk2Y

    @dailytechonx

    14 May 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. Cybercriminals, including RansomEXX, BianLian, and Chinese APTs, are exploiting CVE-2025-31324 to remotely target unpatched SAP NetWeaver systems, risking global infrastructure & federal agencies. Patch now! ⚠️ #CyberThreat #SAPVuln #USA https://t.co/H7jvH1299H

    @TweetThreatNews

    14 May 2025

    89 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  50. 🔥 Two ransomware gangs—BianLian and RansomExx—are now exploiting a critical SAP flaw (CVE-2025-31324). They’re not alone. Nation-state hackers are in the mix too. One exploit. Full system access. 🔗 Read the full breakdown: https://t.co/bnqxoQLk8s

    @TheHackersNews

    14 May 2025

    11485 Impressions

    36 Retweets

    104 Likes

    12 Bookmarks

    0 Replies

    2 Quotes

Configurations