CVE-2025-31324: Critical SAP NetWeaver Visual Composer Zero-Day (10.0 CVSS)

In April 2025, the global cybersecurity community confronted a new and exceptionally dangerous vulnerability in SAP’s flagship middleware platform, SAP NetWeaver Visual Composer. Tracked as CVE-2025-31324, this flaw carries a CVSS 3.1 score of 10.0, reflecting its catastrophic impact potential. SAP NetWeaver underpins many core enterprise business processes spanning ERP, CRM, and supply chain functions across financial institutions, critical infrastructure, manufacturing, and government sectors worldwide.

What makes CVE-2025-31324 particularly alarming is the ability for unauthenticated, remote attackers to execute arbitrary code via an unrestricted file upload flaw, effectively handing adversaries complete control over critical SAP application servers. The vulnerability lies in a legacy Visual Composer component that remains enabled in many organizations despite its formal deprecation, exposing a vast attack surface with minimal barriers.

For SOC teams, SAP administrators, and CISOs responsible for safeguarding these vital assets, understanding the full scope of this vulnerability, from exploitation mechanics to threat actor behavior, is paramount. This blog delivers a comprehensive, technical breakdown and strategic guidance to defend against this evolving threat.

What is CVE-2025-31324?

Simply put, CVE-2025-31324 is an unrestricted file upload vulnerability in the Visual Composer module of SAP NetWeaver Application Server Java (AS Java). It enables unauthenticated remote attackers to upload malicious JSP files (webshells) directly into sensitive SAP application directories without any input validation or authorization checks.

Once a webshell is uploaded, attackers can remotely execute commands, escalate privileges, persist undetected, and move laterally inside enterprise networks, all through HTTP requests to the compromised SAP server.

The vulnerable endpoint at the heart of this flaw is: /developmentserver/metadatauploader

Originally intended to facilitate metadata handling and application development workflows, it lacks critical security controls, turning it into a vector for complete compromise. The root cause of CVE-2025-31324 lies in an inadequate validation and authentication mechanism in the Visual Composer’s metadata uploader endpoint. The server blindly accepts multipart/form-data POST requests containing files and saves them under the following directory without verifying the content type or enforcing access control: /j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/

Timeline of Discovery

1. April 22, 2025: Initial detection by ReliaQuest’s threat intelligence team during proactive monitoring of suspicious file uploads to SAP environments.
2. April 24, 2025: SAP publishes emergency patch and Security Note 3594142, addressing the unrestricted file upload flaw and closing the /developmentserver/metadatauploader endpoint.
3. May 2, 2025: Follow-up detection reports expand to include novel JSP webshell variants like rrx.jsp, indicating attacker innovation.
4. May 14, 2025: Intelligence analysis attributes exploitation campaigns to notorious APT and ransomware groups, including BianLian and RansomEXX (Storm-2460), revealing high-risk threat actor interest.

Systems Affected

• SAP NetWeaver Application Server Java (AS Java) versions before the April 24, 2025, patch.
• Environments with the Visual Composer component enabled — a module deprecated since 2015, but still frequently left enabled due to legacy dependencies
• Systems exposing the /developmentserver context path publicly or over trusted networks.
• Both on-premises and hybrid cloud SAP deployments are leveraging older NetWeaver stacks without aggressive hardening.

Notably, many government, manufacturing, and critical infrastructure operators still run unpatched Visual Composer instances, widening the attacker’s reach.

Exploitation Steps

An unauthenticated attacker can exploit CVE-2025-31324 by sending a specially crafted HTTP POST request to the vulnerable /developmentserver/metadatauploader endpoint, uploading a malicious .jsp webshell. This file is then saved to a web-accessible directory, typically under /irj/, without any authentication or validation. The attacker can subsequently trigger the webshell by issuing an HTTP GET request to a URL such as https://<sap_server>/irj/helper.jsp?cmd=id, where the cmd parameter contains arbitrary operating system commands. The server executes these commands in real time and returns the output directly in the HTTP response. 

This attack flow exposes several critical security failures: the absence of authentication checks for file uploads, no restrictions on file type or extension, and no execution controls or sandboxing on uploaded content. 

While the vulnerable endpoint is not exposed by default, it is frequently accessible in real-world SAP environments due to legacy configurations or misconfigured deployments. Together, these weaknesses form a highly effective remote code execution (RCE) pathway that adversaries can easily exploit.

How to Mitigate CVE-2025-31324

Immediate Remediation Steps

1. Patch Deployment:
   • Apply SAP Security Note 3594142 without delay.
   • Upgrade SAP NetWeaver AS Java instances to the latest patched versions.
2. Disable Deprecated Components:
   • Remove or disable the Visual Composer module entirely
   • Remove the /developmentserver application alias from web.xml and SAP configs.
3. Log Aggregation & Monitoring:
   • Forward SAP logs (IIS/Apache and SAP Java server logs) to centralized SIEM/SOAR platforms.
   • Enable alerts for suspicious HTTP requests or JSP execution.
4. File Integrity Checks:
   • Regularly scan SAP deployment directories for unauthorized .jsp, .class, or .java files.

How AccuKnox’s File Integrity Monitoring Addresses CVE-2025-31324

Long-Term Strategic Measures

• Conduct SAP security posture reviews focusing on legacy modules and unused components.
• Implement application-layer filtering and runtime protection for SAP Java environments.
• Harden SAP communication channels with mutual TLS and authentication.
• Enforce the principle of least privilege on SAP users and services.
• Perform regular red team exercises simulating RCE attacks via file uploads.

Conclusion

CVE-2025-31324 is an unambiguous wake-up call for the SAP ecosystem: decades-old, deprecated modules left unpatched and exposed create a perfect environment for adversaries to breach critical infrastructure. The vulnerability’s ideal storm of unauthenticated, unrestricted file upload and legacy exposure translates into a near-absolute takeover risk for vulnerable SAP NetWeaver environments.

The rapid weaponization by sophisticated ransomware and APT groups heightens the urgency. SOC teams must treat this vulnerability as a top-priority incident, accelerating patching, threat hunting, and hardening efforts.

SAP administrators and CISOs should leverage this incident as a catalyst for comprehensive SAP security modernization, disabling legacy modules, enforcing robust access controls, and integrating SAP logs into enterprise detection frameworks.

Effective mitigation requires speed, vigilance, and strategic investment to protect SAP’s critical role in enterprise operations against an increasingly hostile cyber threat landscape.