CVE-2025-31324: Missing Authorization check in SAP NetWeaver (Visual Composer development server)
Description
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Known Exploited
🚨 Marked as known exploited on April 25th, 2025 (about 1 month ago).
Classification
CVE ID: CVE-2025-31324
CVSS Base Severity: CRITICAL
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Problem Types
CWE-434: Unrestricted Upload of File with Dangerous TypeAffected Products
Vendor: SAP_SE
Product: SAP NetWeaver (Visual Composer development server)
Nuclei Template
http/cves/2025/CVE-2025-31324.yaml
Exploit Prediction Scoring System (EPSS)
EPSS Score: 78.65% (probability of being exploited)
EPSS Percentile: 98.97% (scored less or equal to compared to others)
EPSS Date: 2025-05-23 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-31324https://me.sap.com/notes/3594142
https://url.sap/sapsecuritypatchday
https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html