Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Critical, actively exploited, improper authorization vulnerability in SAP NetWeaver, Patch Immediately!
Image
Veröffentlicht : 25/04/2025
* Last update: 25/04/2025
* Affected software:: SAP NetWeaver (Visual Composer Metadata Uploader
* Type: Unrestricted Upload of File with Dangerous Type (CWE-434)
* CVE/CVSS
→CVE-2025-31324: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
Risks
SAP NetWeaver Visual Composer is a development tool that allows users—especially those without deep programming skills—to create web-based business applications using a visual, drag-and-drop interface. It runs on the SAP NetWeaver platform, which provides the backend services and integration capabilities needed to connect to SAP and non-SAP systems. The Visual Composer development server hosts the environment where these applications are designed, built, and tested.
On 24 April 2024, SAP announced that a critical vulnerability (CVE-2025-31324) has been found in SAP NetWeaver Visual Composer Version: VCFRAMEWORK 7.50. SAP released an emergency security note to fix this vulnerability.
CVE-2025-31324 exists in the Metadata Uploader component of the SAP NetWeaver Visual Composer and it can allow an unauthenticated attacker to upload potentially malicious executable binaries. This can happen because there are improper authorization controls in place.
As of April 25, 2025, it is confirmed from many sources that this vulnerability has been actively exploited in the wild. No public proof-of-concept (PoC) is available online.
Exploitation of CVE-2025-31324 has a high impact on all three aspects of the CIA triad (Confidentiality, Integrity, and Availability).
Description
A remote attacker without authentication or any privileges, can upload executable files to the SAP NetWeaver system. This can allow the attacker to execute unauthorized code to steal sensitive system and application data, modify or delete critical system files, and install additional malware. The attacker can finally take full control of the targeted SAP NetWeaver system and cause complete system compromise. This all occurs because the system has no or incomplete restrictions about the upload of dangerous file types, which is followed by the procedure of processing these files.
A quick check to see if you are vulnerable is to test if you can access this URL without authentication: https://[your-sap-server]/developmentserver/metadatauploader. If it is accessible, then your server is affected by this vulnerability.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
https://me.sap.com/notes/3594142
https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324-fixed-actively-exploited-in-the-wild/