overview
CVE-2025-31324 is a critical vulnerability affecting the SAP NetWeaver Visual Composer's Metadata Uploader component, which lacks proper authorization controls. This flaw allows unauthenticated attackers to upload malicious executable files to the system, ultimately enabling remote code execution with the same privileges as the SAP application. With a maximum CVSS score of 10.0 and an EPSS rating of 0.78, this vulnerability poses an extreme risk, as successful exploitation gives adversaries the ability to deploy webshells, execute arbitrary commands, and establish persistent access to business-critical SAP servers used across various industries.
Multiple security organizations, including ReliaQuest, Watchtower, Microsoft, Rapid7, and Picus Security, have confirmed that CVE-2025-31324 is being actively exploited in the wild as of late April 2025. Attackers are using the vulnerability to upload executable files through the Metadata Uploader, deploy webshells for persistent access, and execute commands with the SAP server's privileges. The attack chain aligns with Initial Access (TA0001) and Exploit Public-Facing Application (T1190) tactics within the MITRE ATT&CK framework.
Immediate Action Required:
Organizations are strongly advised to apply the emergency SAP patch without delay and proactively hunt for backdoors or command-and-control beacons that might have been established prior to patching.
As of April 30, 2025, only the following Indicators of Compromise (IoCs) have been publicly disclosed relating to the active exploitation of CVE-2025-31324. While exploitation is confirmed, technical indicators such as file hashes, attacker IP addresses, or signatures have not yet been made available by security vendors or threat intelligence providers.
The vulnerability affects the UDDI (Universal Description, Discovery, and Integration) service, typically exposed at:
https://<hostname>:<port>/uddi/UDDISOAPService
This service processes SOAP/XML messages and fails to enforce authentication for sensitive operations.
Until specific IoCs are released, organizations should monitor for:
Avertium continues to monitor for IOCs and will disclose them as soon as possible once identified. In the meantime, patching remains the top priority. Organizations unable to patch immediately should apply all available mitigations and conduct compromise assessments if exposure is suspected.
For enhanced protection against CVE-2025-31324, Avertium's Threat Detection & Response (TDR) services can assist with real-time monitoring, incident detection, and response.
|
Tactic |
Technique Name |
Technique ID |
How It Applies |
|
Initial Access |
Exploit Public-Facing Application |
T1190 |
Uploads malicious executables via unauthenticated access to Metadata Uploader |
|
Execution |
Command and Scripting Interpreter |
T1059 |
Executes arbitrary code using interpreters after upload |
|
Execution |
Exploitation for Client Execution |
T1203 |
Triggers the uploaded payload for remote code execution |
|
Persistence |
Server Software Component |
T1505 |
Installs webshells or backdoors in SAP components |
|
Persistence |
Event Triggered Execution |
T1546 |
Configures payloads to execute on app events/triggers |
|
Privilege Escalation |
Exploitation for Privilege Escalation |
T1068 |
Escalates privilege using initial exploit paths |
|
Defense Evasion |
Masquerading |
T1036 |
Disguises payloads as legitimate files or components |
|
Defense Evasion |
Hide Artifacts |
T1564 |
Hides or obfuscates binaries/scripts in SAP directories |
|
Impact |
Data Destruction |
T1485 |
Deletes or corrupts critical data using code execution |
|
Impact |
Endpoint Denial of Service |
T1499 |
Renders SAP or hosts inoperable via crafted payloads |
Summary of Techniques: Adversaries gain access by exploiting the Metadata Uploader with insufficient authorization controls (T1190). - Uploaded malicious binaries allow for remote code execution (T1059, T1203). - Persistence established through webshells/backdoors (T1505, T1546). - Privilege escalation possible if the SAP application runs with elevated permissions (T1068). - Defense evasion via masquerading and artifact hiding (T1036, T1564). - Impact ranges from data destruction to full endpoint denial of service (T1485, T1499).
CVE-2025-30391 carries a CVSS rating of 8.1, underscoring its significant risk. Organizations are urged to take the following mitigation and defense steps:
CVE-2025-31324's criticality demands a coordinated approach covering detection, remediation, and continuous monitoring. Avertium provides several services relevant to managing this risk:
Attack Surface Management (ASM) - Identifies and mitigates vulnerabilities, with targeted focus on SAP Visual Composer exposure. - Provides acceleration services for rapid remediation, testing, and simulation of attacker TTPs to validate controls.
Threat Detection & Response (TDR) - Delivers XDR-informed monitoring, integrating SIEM and endpoint security to identify exploits, unusual uploads, and anomalous behaviors in SAP environments. - Offers strategic threat coverage for SAP and other critical applications.
Microsoft Security Solutions - Tailored for organizations running SAP in Microsoft environments, combining detection rules specific to SAP threats and managed endpoint security to detect lateral movement and reduce attack surface.
Governance, Risk, and Compliance (GRC) - Assists with compliance mandates (e.g., SEC, NIS2, SOX, NERC) by conducting audits, aligning security practices, and managing risk within SAP operations.
This multi-layered strategy addresses not only the technical aspects of CVE-2025-31324 but also the business and regulatory risks associated with its exploitation.
SUPPORTING DOCUMENTATION