CVE-2025-31324
Published: 24 April 2025
Summary
CVE-2025-31324 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Sap Netweaver. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
SAP NetWeaver Visual Composer Metadata Uploader contains an authorization bypass vulnerability (CWE-434) that permits unauthenticated file uploads of arbitrary executable binaries. The flaw affects the SAP NetWeaver component and carries a CVSS 3.1 base score of 10.0, reflecting network-accessible attack vector, low complexity, no required privileges or user interaction, and complete loss of confidentiality, integrity, and availability with scope change to other system components.
Unauthenticated remote attackers can exploit the issue to upload and execute malicious binaries on the host, enabling full system compromise. Successful attacks can therefore result in arbitrary code execution with severe impact on the targeted SAP environment and any connected systems.
SAP has published remediation guidance in security note 3594142 and the April 2025 patch day release. Multiple independent reports confirm that the vulnerability was under active exploitation in the wild shortly after disclosure, including suspected zero-day usage prior to the availability of patches.
The associated EPSS score has risen sharply from a low baseline to a current value of 0.4366 with a recorded peak of 0.4871, indicating that exploitation interest increased materially after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11987
Vulnerability details
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the…
more
targeted system.
- CWE(s)
- KEV Date Added
- 29 April 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the Metadata Uploader endpoint so that only authenticated users may upload files.
Requires identification and authentication of non-organizational users before any upload action is accepted, eliminating the unauthenticated path exploited by CVE-2025-31324.
Validates file type, content, and extension of uploaded binaries to block dangerous executable formats even if an upload request reaches the component.