CVE‑2025‑31324 | SAP | RCE
CVE‑2025‑31324#
| Vulnerability | CVE‑2025‑31324 |
|---|---|
| Type | Missing Authorization Check / Unrestricted File Upload (RCE) |
| Description | CVE‑2025‑31324 is a critical unauthenticated file upload vulnerability in SAP NetWeaver AS Java (Visual Composer). A missing authorization check allows attackers to upload arbitrary files (e.g., JSP webshells) via the /developmentserver/metadatauploader endpoint, resulting in remote code execution with SAP Java service account privileges. |
| Affected Systems | SAP NetWeaver AS Java versions 7.0–7.5 with Visual Composer enabled. |
| Attack Vector | Remote network access; unauthenticated attacker sends crafted HTTP POST requests to the vulnerable endpoint. |
| Exploit Mechanism | Upload of malicious JSP files (webshells) that are later accessed to run OS commands under the SAP instance user account. |
| Impact of the Bug | Full system compromise: attacker can execute arbitrary code, steal or modify business data, deploy malware, or disrupt SAP services. |
| Detection & IOCs | - Log & Endpoint Monitoring: Watch for POST requests to /developmentserver/metadatauploader.- File System Scans: Unexpected JSP/webshell files in Visual Composer directories (e.g. /irj/servlet_jsp/irj/root/).- Process/Network Anomalies: SAP service account spawning unusual processes (cmd/bash) or outbound connections to untrusted IPs. - SAP Logs: Review Security Audit logs and trace files for Visual Composer misuse. |
| Mitigation Steps | - Apply SAP Security Note 3594142 (April 2025 patch). - If patching delayed: remove the vulnerable component ( devserver_metadataupload_ear).- Restrict external access to Visual Composer endpoints. - Post-patch, investigate and remove any malicious files or accounts. |
| Workaround (if available) | Remove/disable Visual Composer Metadata Uploader service as per SAP KBA 3593336 Option 0 until patching. |
| References | NVD · SAP Note 3594142 · Onapsis · Unit42 · Rapid7 |