What is SAP NetWeaver?
SAP NetWeaver is the foundational application platform for SAP's enterprise software suite, underpinning SAP ERP, S/4HANA, and related enterprise applications used by organizations worldwide for financials, HR, supply chain, and procurement. SAP NetWeaver's Visual Composer is a development tool that enables business users to create data-intensive web applications. The Metadata Uploader endpoint within Visual Composer accepts file uploads for application metadata. Because SAP systems contain the most sensitive operational data in an enterprise, a pre-authentication RCE on SAP NetWeaver represents one of the highest-impact vulnerability classes possible.
Overview
CVE-2025-31324 is a maximum-severity unrestricted file upload vulnerability (CWE-434, CVSS 10.0) in the SAP NetWeaver Visual Composer Metadata Uploader. An unauthenticated remote attacker can upload arbitrary executable files — including JSP webshells — to the SAP NetWeaver application server without authentication. Uploaded files execute with SAP administrator (adm) privileges, giving the attacker complete control of the SAP system. Earth Lamia (China-nexus APT) exploited this as a zero-day beginning in January 2025, compromising over 580 SAP systems globally before SAP issued the emergency patch in April 2025.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| SAP NetWeaver VCFRAMEWORK 7.50 | All builds before SAP Note 3594142 | Apply SAP Security Note 3594142 |
Visual Composer (and thus this vulnerability) is enabled by default in SAP NetWeaver 2004s and later. The developmentServer endpoint at /developmentserver/metadatauploader is the attack entry point — it must be disabled if Visual Composer is not used.
Technical Details
The vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) is in the Visual Composer Metadata Uploader, accessible at the endpoint path /developmentserver/metadatauploader. This endpoint, intended for developers uploading application metadata, accepts multipart HTTP POST requests without requiring authentication. There is no restriction on file type, extension, or content of the uploaded file.
An attacker submits a crafted HTTP POST request containing a malicious JSP file as the upload payload. The file is written to a directory accessible via the SAP J2EE web application server. When the attacker subsequently requests the JSP file via HTTP, it executes as the SAP adm (administrator) user, providing full control of the SAP system — including all SAP data, the ability to create SAP users, and OS-level command execution.
CVE-2025-31324 (unauthenticated upload) was used as the first stage of an exploit chain with CVE-2025-42999 (Visual Composer deserialization, requires privileged role). The chain achieves full unauthenticated RCE; both CVEs must be patched.
Discovery
Onapsis identified active in-the-wild exploitation during incident response, tracing reconnaissance back to January 20, 2025. Mandiant also published analysis of the exploitation. SAP issued the emergency patch on April 24, 2025.
Exploitation Context
Earth Lamia (China-nexus APT, tracked by Trend Micro) exploited CVE-2025-31324 as a zero-day beginning approximately January 2025 — roughly three months before SAP's patch. The campaign escalated to confirmed webshell deployments by March 14, 2025. EclecticIQ attributed widespread scanning to China-nexus threat actors, with over 580 critical SAP systems compromised across government agencies, utilities, manufacturers, and financial institutions. Ransomware operators subsequently incorporated the exploit chain after it became public. CISA added CVE-2025-31324 with ransomwareUse: true and a 21-day federal remediation deadline.
Remediation
- Apply SAP Security Note 3594142 immediately — download via the SAP Support Portal (requires SAP S-User credentials).
- Also apply CVE-2025-42999 patch (SAP Note 3604119) — both are required to close the full exploit chain.
- Disable Visual Composer if not used: In SAP NetWeaver Configuration Manager, set
vc/enabled=falseto eliminate the attack surface entirely. - Hunt for webshells: search the Visual Composer directory for unexpected
.jsp,.war, or.classfiles. Check<SID>/J<instance>/j2ee/cluster/apps/sap.com/vc70runtime/and related directories. - Review SAP system logs for unexpected
<SID>admOS commands executed from the J2EE application server process. - Block external access to the
/developmentserver/path at your SAP web dispatcher or perimeter firewall if Visual Composer must remain enabled.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-31324 |
| Vendor / Product | SAP — NetWeaver |
| NVD Published | 2025-04-24 |
| NVD Last Modified | 2025-10-31 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-434 find similar ↗ |
| CISA KEV Added | 2025-04-29 |
| CISA KEV Deadline | 2025-05-20 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-01-20 | Earth Lamia begins reconnaissance of SAP NetWeaver systems (Onapsis) |
| 2025-03-14 | First confirmed webshell deployments via unauthenticated upload |
| 2025-04-24 | SAP Security Note 3594142 published; CVE published; emergency out-of-band patch |
| 2025-04-29 | CISA adds both CVE-2025-31324 and CVE-2025-42999 to KEV catalog |
| 2025-05-20 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| SAP Security Note 3594142 (login required) | Vendor Advisory |
| Onapsis — CVE-2025-31324 Threat Research | Security Research |
| NVD — CVE-2025-31324 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Trend Micro — Earth Lamia Threat Actor Research | Security Research |
| Mandiant — SAP NetWeaver Zero-Day Analysis | Security Research |
| China-Linked APTs Exploit SAP CVE-2025-31324 | News |