Cyber Resilience

CVE-2025-31324

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 24 April 2025

Published
24 April 2025
Modified
31 October 2025
KEV Added
29 April 2025
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4366 97.6th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31324 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Sap Netweaver. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

SAP NetWeaver Visual Composer Metadata Uploader contains an authorization bypass vulnerability (CWE-434) that permits unauthenticated file uploads of arbitrary executable binaries. The flaw affects the SAP NetWeaver component and carries a CVSS 3.1 base score of 10.0, reflecting network-accessible attack vector, low complexity, no required privileges or user interaction, and complete loss of confidentiality, integrity, and availability with scope change to other system components.

Unauthenticated remote attackers can exploit the issue to upload and execute malicious binaries on the host, enabling full system compromise. Successful attacks can therefore result in arbitrary code execution with severe impact on the targeted SAP environment and any connected systems.

SAP has published remediation guidance in security note 3594142 and the April 2025 patch day release. Multiple independent reports confirm that the vulnerability was under active exploitation in the wild shortly after disclosure, including suspected zero-day usage prior to the availability of patches.

The associated EPSS score has risen sharply from a low baseline to a current value of 0.4366 with a recorded peak of 0.4871, indicating that exploitation interest increased materially after public disclosure.

EU & UK References

Vulnerability details

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the…

more

targeted system.

CWE(s)
KEV Date Added
29 April 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver
7.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the Metadata Uploader endpoint so that only authenticated users may upload files.

prevent

Requires identification and authentication of non-organizational users before any upload action is accepted, eliminating the unauthenticated path exploited by CVE-2025-31324.

prevent

Validates file type, content, and extension of uploaded binaries to block dangerous executable formats even if an upload request reaches the component.

References