Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Critical, actively exploited, improper authorization vulnerability in SAP NetWeaver, Patch Immediately!
Image
Gepubliceerd : 25/04/2025
* Last update: 15/05/2025
* Affected software:: SAP NetWeaver (Visual Composer Metadata Uploader
* Type: Unrestricted Upload of File with Dangerous Type (CWE-434)
* CVE/CVSS
→CVE-2025-31324: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
Risks
SAP NetWeaver Visual Composer is a development tool that allows users—especially those without deep programming skills—to create web-based business applications using a visual, drag-and-drop interface. It runs on the SAP NetWeaver platform, which provides the backend services and integration capabilities needed to connect to SAP and non-SAP systems. The Visual Composer development server hosts the environment where these applications are designed, built, and tested.
On 24 April 2024, SAP announced that a critical vulnerability (CVE-2025-31324) has been found in SAP NetWeaver Visual Composer Version: VCFRAMEWORK 7.50. SAP released an emergency security note to fix this vulnerability.
CVE-2025-31324 exists in the Metadata Uploader component of the SAP NetWeaver Visual Composer and it can allow an unauthenticated attacker to upload potentially malicious executable binaries. This can happen because there are improper authorization controls in place.
Exploitation of CVE-2025-31324 has a high impact on all three aspects of the CIA triad (Confidentiality, Integrity, and Availability).
UPDATE: 25 April 2025
Confirmation by multiple sources that CVE-2025-31324 has been actively exploited in the wild. A public proof-of-concept (PoC) is available online.
UPDATE: 13 May 2025
SAP released an update for CVE-2025-31324 included in the "Patch Day - May 2025". Please review the new information and update your systems accordingly!
UPDATE: 15 May 2025
According to ReliaQuest, this vulnerability is actively exploited by BianLian and RansomEXX - otherwise known as Storm-2460 - ransomware groups. ForeScout reported that Chinese threat actors are actively exploiting CVE-2025-31324.
Description
A remote attacker without authentication or any privileges, can upload executable files to the SAP NetWeaver system. This can allow the attacker to execute unauthorized code to steal sensitive system and application data, modify or delete critical system files, and install additional malware. The attacker can finally take full control of the targeted SAP NetWeaver system and cause complete system compromise. This all occurs because the system has no or incomplete restrictions about the upload of dangerous file types, which is followed by the procedure of processing these files.
A quick check to see if you are vulnerable is to test if you can access this URL without authentication: https://[your-sap-server]/developmentserver/metadatauploader. If it is accessible, then your server is affected by this vulnerability.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
https://me.sap.com/notes/3594142
https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324-fixed-actively-exploited-in-the-wild/