On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50.
CVE-2025-31324 is a critical vulnerability residing in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK). While not installed by default, business analysts commonly use this component to create applications without coding, making it widely present in SAP deployments.
The core issue with this vulnerability is a missing authorization check in the Metadata Uploader, accessible via the /developmentserver/metadatauploader endpoint. This means that any user, even unauthenticated ones, can interact with this endpoint and upload arbitrary files to the server.
Here's a breakdown of how the vulnerability works:
Unrestricted access: The /developmentserver/metadatauploader endpoint is exposed over HTTP/HTTPS and lacks proper authentication or authorization controls.
Malicious file upload: An attacker can send a specially crafted HTTP request to the vulnerable endpoint, containing a malicious file as the request body.
File system access: Due to the missing authorization check, the server accepts the attacker's request and writes the uploaded file to the server's file system. The file is often written to a location within the web application's accessible directories (e.g., under /irj/servlet_jsp/irj/root/).
Web shell execution (common scenario): If the attacker uploads a web shell like a Java server page (JSP) file, the attacker can then access the web shell via a web browser. Now residing on the server, this web shell allows an attacker to execute arbitrary operating system commands with the privileges of the SAP application server process.
System compromise: With the ability to execute commands as an SAP system administrator (system account name: sidadm), an attacker effectively gains control of the SAP system and its associated data. The attacker can then perform various malicious activities.
CVE-2025-31324 allows attackers to bypass security controls and directly upload and execute malicious files on vulnerable SAP servers, potentially leading to complete system compromise. The ease of exploitation (no authentication required) and the possibility for high impact make this a critical vulnerability that requires immediate attention and remediation.
