Critical SAP NetWeaver Visual Composer Vulnerability (CVE-2025-31324) — Unauthenticated File Upload to RCE

1. Executive Summary

CVE-2025-31324 is a critical vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader that enables unauthenticated arbitrary file upload, which can be leveraged for remote code execution (RCE) and full system compromise. The issue stems from missing/insufficient authorisation controls on the affected upload functionality, allowing an external attacker to place executable artefacts on the application server. According to CISA’s Known Exploited Vulnerabilities (KEV) catalogue, the vulnerability was added due to evidence of active exploitation, and CISA also flags known ransomware campaign use. (GitHub)

Organisations operating internet-facing SAP NetWeaver Java systems—particularly those with Visual Composer enabled—should treat this as an emergency patching and incident response priority. Multiple defenders and public-sector alerts indicate exploitation has occurred “in the wild”, with follow-on activity likely where webshells were left behind. (Onapsis)

2. Contextual Background

2.1 Nature of the threat

• CVE-2025-31324 — Missing authorisation/controls in SAP NetWeaver Visual Composer Metadata Uploader enabling unauthenticated upload of potentially malicious executable binaries.
  • Vendor advisory: SAP Security Note 3594142 for CVE-2025-31324
  • NVD (GitHub)

SAP’s remediation story for this incident is commonly discussed alongside a second issue:

• CVE-2025-42999 — A related weakness described as insecure deserialisation / handling of untrusted content (privileged context) where SAP notes indicate customers who applied 3594142 should also implement 3604119.
  • Vendor advisory: SAP Security Note 3604119 for CVE-2025-42999
  • NVD (NVD)

2.2 Threat-actor attribution (if any)

Public reporting attributes exploitation to multiple distinct actor sets, including financially motivated operators. However, the most defensible, source-backed position is that this has been widely exploited opportunistically, with ransomware-linked use confirmed by CISA’s KEV dataset.
Confidence: Confirmed (active exploitation), Confirmed (known ransomware campaign use) — per CISA KEV entry for CVE-2025-31324. (GitHub)

Note: Some vendor blogs and secondary outlets speculate on specific actor names; this report does not treat those as confirmed attribution unless supported by primary IR reporting from a named CTI provider or government bulletin.

2.3 Sector and geographic targeting

SAP NetWeaver underpins mission-critical ERP and business process workflows across sectors; defenders have highlighted exploitation affecting globally distributed enterprises and critical services. UK public-sector reporting assessed further exploitation as highly likely, particularly where SAP systems are internet-exposed and patching windows are constrained. (NHS England Digital)

3. Technical Analysis

3.1 Vulnerability mechanics and TTPs (MITRE ATT&CK mapped)

Core behaviour: An attacker can reach the Visual Composer Metadata Uploader and upload server-side executable content without authentication, enabling subsequent code execution via server-side processing or web-accessible execution paths. NVD describes the impact as severe across confidentiality, integrity, and availability. (NVD)

Commonly reported post-exploitation patterns include:

• Uploading web-executable files (e.g., .jsp, .java, .class) into application-served directories and then invoking them via HTTP. (darktrace.com)
• Accessing the uploader endpoint with crafted requests consistent with exploit attempts (example patterns appear in incident tooling and detection artefacts). (GitHub)

MITRE ATT&CK technique mapping (representative):

• Initial Access: Exploit Public-Facing Application — T1190
• Execution: Command and Scripting Interpreter (server-side) — T1059
• Persistence: Server Software Component / Webshell-like persistence (where applicable) — T1505.003
• Defence Evasion: Obfuscated/Randomised artefact names (common in webshell drops) — T1027
• Collection/Discovery (post-compromise, environment-dependent): System/Network Discovery — T1082, T1046

3.2 Exploitation status (in the wild, PoCs, and chaining)

• Active exploitation: Onapsis reports active exploitation in the wild and provides a detailed timeline based on its sensor network and incident response collaboration. (Onapsis)
• Government validation: CISA KEV includes CVE-2025-31324 with a required remediation deadline and flags known ransomware use. (GitHub)
• UK alerting: NHS England’s cyber alerting references active exploitation and stresses urgent remediation. (NHS England Digital)

Onapsis further reports that exploitation was often discussed in the context of CVE-2025-42999 as a follow-on patch requirement to address residual/root-cause risk in Visual Composer. (Onapsis)

4. Impact Assessment

4.1 Severity and scope

• CVSS: NVD lists CVSS v3.1 10.0 (Critical) with network attack vector and no privileges required. (NVD)
• Operational impact: Successful exploitation can enable full compromise of SAP application servers, including disruption of ERP-dependent business processes, data theft, fraud, and downstream lateral movement (depending on connectivity and credentials exposure). This is consistent with the “severe harm” language in NVD’s description and the KEV classification. (NVD)

4.2 Victim profile

Observed and at-risk victims include organisations running SAP NetWeaver Java with Visual Composer components enabled, particularly where the system is internet-facing. Public-sector guidance highlights that patching may lag due to business criticality, sustaining exposure. (NHS England Digital)

5. Indicators of Compromise (IOCs)

5.1 IOC table (source-backed only)

Important: The Onapsis/Mandiant tool README contains example output (including example filenames and hashes). Treat these as investigation starting points rather than universal “known-bad” indicators unless you can corroborate them against your own telemetry and case evidence. (GitHub)

5.2 Detection guidance

Recommended defensive approach:

• Run a purpose-built compromise assessment: Use the Onapsis/Mandiant CVE-2025-31324 compromise assessment tool to (a) validate patch state, (b) scan high-risk directories, and (c) triage HTTP access logs and Java traces for exploit/post-exploit sequences. (GitHub)
• Log review/hunting:
  • Hunt for inbound requests to /developmentserver/metadatauploader and unusual follow-on requests to /irj/*.jsp. (Onapsis)
  • Prioritise anomalies that include newly created web-executable files under the irj/servlet_jsp/irj/ tree. (GitHub)
• EDR/SIEM analytics: Alert on web-server spawned processes (e.g., Java servlet/container processes spawning shells or system utilities), and on suspicious write activity into the servlet_jsp served directories. (Exact query syntax will vary by platform; use your normal “webshell + process spawn” detections aligned to T1505.003 and T1059.)

6. Incident Response Guidance

6.1 Containment, eradication, recovery

1. Isolate exposed systems (or at minimum restrict inbound access at network edge) if compromise is suspected and business impact allows.
2. Patch immediately:
   • Apply SAP Security Note 3594142 (CVE-2025-31324). (GitHub)
   • Apply SAP Security Note 3604119 (CVE-2025-42999), which SAP/NVD note as necessary even if 3594142 was implemented. (NVD)
3. Eradicate web-executable artefacts:
   • Remove unauthorised .jsp/.java/.class files discovered in the irj/servlet_jsp/irj/ directory families. (darktrace.com)
4. Rotate credentials potentially exposed on the application server (service accounts, SAP admin accounts, integration credentials).
5. Validate integrity of SAP application components and deployed EAR/WAR/JSP artefacts; consider rebuild from known-good media if integrity cannot be assured.

6.2 Forensic artefacts to collect and preserve

• HTTP access logs (including responses logs referenced in the Onapsis/Mandiant tool guidance). (GitHub)
• Java default trace logs (defaultTrace*.trc) and SAP application logs around suspected exploitation windows. (GitHub)
• Full directory listings + hashes of:
  • .../j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
  • .../irj/work and .../irj/work/sync (GitHub)
• Volatile data (process list, network connections) if you suspect live hands-on-keyboard activity.

6.3 Lessons learned

• Treat internet-exposed ERP/application platforms as high-priority attack surfaces with dedicated monitoring and tighter change windows.
• Ensure SAP security notes are operationalised with emergency patch procedures, not just monthly cadence, when KEV/active exploitation signals are present. (GitHub)

7. Threat Intelligence Contextualisation

7.1 Similar incidents and patterns

CVE-2025-31324 fits a recurring pattern: public-facing enterprise middleware abused for initial access and rapid monetisation (webshell placement → credential harvesting → lateral movement → extortion/ransomware). CISA’s KEV “known ransomware campaign use” flag is consistent with this operational playbook. (GitHub)

7.2 Full MITRE ATT&CK mapping (observed lifecycle)

8. Mitigation Recommendations

8.1 Hardening and best practice

• Remove or restrict exposure of SAP NetWeaver management and development components from the public internet (front with VPN, IP allowlists, or WAF where appropriate).
• Implement strict file integrity monitoring on SAP Java served directories (especially servlet_jsp trees). (GitHub)
• Ensure high-fidelity logging (HTTP access + SAP Java traces) is centralised and retained for incident timelines. (GitHub)

8.2 Patch management advice (prioritised)

• Immediate (same-day):
  • SAP Security Note 3594142 (CVE-2025-31324) + NVD (GitHub)
• Immediate follow-up:
  • SAP Security Note 3604119 (CVE-2025-42999) + NVD — explicitly noted as required even if the first note was implemented. (NVD)
• Use KEV-driven prioritisation: CISA lists a remediation due date and flags known ransomware use. (GitHub)

9. Historical Context & Related Vulnerabilities

• SAP NetWeaver has a history of being targeted when internet-facing; defenders have previously tracked exploitation of older SAP NetWeaver flaws in the wild (contextual risk indicator, not evidence of linkage to this CVE). (darktrace.com)
• Closely related: CVE-2025-42999 (Visual Composer) — addressed via SAP Security Note 3604119 as part of the broader remediation posture around the 31324 incident. (NVD)

10. Future Outlook

Expect continued scanning and exploitation attempts where:

• SAP NetWeaver instances remain internet-exposed,
• patching is delayed due to outage constraints,
• defenders fail to detect already-planted web-executable artefacts (creating a “second wave” risk via opportunistic access). Onapsis reporting highlights follow-on attacker activity leveraging previously established footholds. (Onapsis)

11. Further Reading

Vendor / vulnerability records

• SAP Security Note 3594142 for CVE-2025-31324
• NVD entry for CVE-2025-31324 (NVD)
• SAP Security Note 3604119 for CVE-2025-42999
• NVD entry for CVE-2025-42999 (NVD)

Government & public-sector alerting

• NHS England cyber alert on CVE-2025-31324 (NHS England Digital)
• Canadian Centre for Cyber Security advisory on CVE-2025-31324 / CVE-2025-42999 (Canadian Centre for Cyber Security)
• CISA KEV data entry (JSON) including CVE-2025-31324 (GitHub)

Defender analysis & tooling

• Onapsis analysis: active exploitation of CVE-2025-31324 (Onapsis)
• Onapsis/Mandiant compromise assessment tool (GitHub) (GitHub)
• Red Canary detection-focused write-up (Red Canary)
• Darktrace tracking of exploitation activity (darktrace.com)