On April 24, 2025, SAP released fixes for CVE-2025-31324, a maximum-severity zero-day unrestricted file upload vulnerability in the NetWeaver Visual Composer component. Visual Composer is a tool within NetWeaver for creating applications and user interfaces. The vulnerability was discovered by ReliaQuest, which initially observed its exploitation in the wild.
The flaw originates within the /developmentserver/metadatauploader /developmentserver/metadatauploader endpoint, allowing threat actors to upload malicious JavaServer Pages (JSP) webshells via specially crafted POST requests to the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory. These files can then be executed remotely through GET requests.
Exploitation of CVE-2025-31324 has been ongoing throughout April 2025, with threat actors leveraging tools such as Brute Ratel and Heaven’s Gate for code execution and evasion after initial access.
Risk
Visual Composer is included by default with the base installation of SAP NetWeaver starting with version 2004s, significantly broadening the potential attack surface for threat actors. Given this exposure and NetWeaver’s history of exploitation, as evidenced by multiple entries in CISA’s Known Exploited Vulnerabilities Catalog, threat actors are likely to continue targeting this vulnerability.
Recommendations for CVE-2025-31324
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| SAP NetWeaver (Visual Composer Framework) | 7.50 | Patches for 7.50 |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Disable Visual Composer if Not Required in Your Environment
Visual Composer is enabled by default starting with SAP NetWeaver 2004s, as it is included with the base installation. If not actively used in your environment, consider disabling it using filters within SAP NetWeaver to reduce your attack surface.
References
