How to Fix CVE-2025-31324: SAP NetWeaver Visual Composer Unauthenticated File Upload

*By Sai Kiran Pandrala*

⚠️ Patch and lock down now. CISA added this to KEV on April 29, 2025 with a federal deadline of May 20, 2025. Threat actors are actively dropping web shells through the unprotected upload endpoint.

What is CVE-2025-31324?

SAP NetWeaver Visual Composer ships with a Metadata Uploader component that is supposed to accept design-time metadata files. Authorization on that uploader endpoint is missing. An unauthenticated remote attacker can submit a request to the upload URL and write an arbitrary executable file (a JSP web shell, for example) directly into the NetWeaver application server's deployment path. From there, the attacker can browse to the uploaded file and execute commands with the privilege of the SAP work process, which on a typical install means full filesystem and SAP-application access.

Visual Composer is a developer-oriented module. Many SAP customers never actively use it but it remains deployed and reachable because it ships enabled by default in NetWeaver Java stacks running VCFRAMEWORK 7.50.

Am I affected?

You are affected if all three are true:

1. You run SAP NetWeaver Java stack (the AS Java component).
2. The Visual Composer Development Server is deployed.
3. VCFRAMEWORK 7.50 is at a patch level below the one listed in SAP Security Note 3594142.

To check:

• Log into the SAP NetWeaver Administrator (http://<host>:<port>/nwa).
• Go to System Information → Components Info and look for VCFRAMEWORK. The version column shows the SP and patch level.
• Or browse to SystemInfo Servlet at http://<host>:<port>/sap/monitoring/SystemInfo (auth required).

If VCFRAMEWORK is present and its patch level is below the SAP Note's fix, you are exposed.

How to fix CVE-2025-31324

1. Authenticate to the SAP ONE Support Launchpad and open SAP Security Note 3594142.
2. Apply the SAP Security Note, this is typically a Support Package or a manual patch via Note Assistant (SNOTE for ABAP stacks; manual deployment via SDM/Update Manager for Java stacks).
3. For Java stacks, deploy the patched VCFRAMEWORK SCA file via Software Update Manager (SUM):

- Stage the SCA in your SUM input directory.

- Run SUM in maintenance mode, follow the standard Java component update flow.

- Restart the AS Java instance after the deploy.

1. Alternative emergency path: disable the Visual Composer module entirely if you do not use it. From NWA: Configuration → Application Modules → tc~vc~webdynpro~core, set to Stopped. This removes the vulnerable endpoint from the running application server. Do this immediately as a stopgap if patching has to wait.
2. Restrict reverse-proxy access to the upload endpoint (/developmentserver/metadatauploader) at your SAP Web Dispatcher or perimeter WAF. Deny all unauthenticated POST requests to that path.
3. For SAP S/4HANA and SAP ECC ABAP stacks, this Note may not apply if the Java add-on is not installed. Confirm via SE38 → RSPLAN_ICF_NODE_CHECK or via the Notes search in SNOTE.

If you can't patch immediately

The mitigations carry more weight than usual here because the patch can take days in a typical SAP change window. Apply all of these in parallel:

• Disable Visual Composer at the NetWeaver Administrator if you do not actively use it. This is the most effective non-patch control.
• Block the upload endpoint at the SAP Web Dispatcher with a RewriteRule that returns 403 for /developmentserver/metadatauploader.
• Hunt for indicators of compromise: search the AS Java deployment directories for unknown .jsp, .war, or executable files dated after April 1, 2025. Any unexpected file in /usr/sap/<SID>/J<NN>/j2ee/deployment/ is a likely web shell.

How to verify the fix worked

1. In NetWeaver Administrator → Components Info, confirm VCFRAMEWORK is now at the patch level listed in SAP Note 3594142.
2. From an unauthenticated test client, send a probing POST request to the previously vulnerable endpoint:

   curl -i -X POST http://<your-host>:<port>/developmentserver/metadatauploader

The expected post-patch response is HTTP 401 or 403, not a 200 indicating an accepted upload.

1. Re-run any compliance vulnerability scan you have. The CVE-2025-31324 plugin should clear.

If you took the disable-VC path instead of patching, the endpoint should return a 404 because the module is unloaded.

Frequently asked questions

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2025-3248: Authentication Bypass in langflow — Authentication Bypass in langflow
• How to Fix CVE-2025-66376: Cross-Site Scripting in Zimbra Collaboration — Cross-Site Scripting in Zimbra Collaboration
• How to Fix CVE-2025-23209: Code Injection in Craftcms cms , Code Injection in Craftcms cms
• How to Fix CVE-2025-47812: Input Validation Flaw in Wing FTP Server , Input Validation Flaw in Wing FTP Server
• How to Fix CVE-2025-59689: Command Injection in Libraesva Email Security Gateway , Command Injection in Libraesva Email Security Gateway

Is CVE-2025-31324 being actively exploited?

Yes. CISA added it to KEV on April 29, 2025 with a three-week federal deadline. Multiple vendors have published threat reports describing web-shell drops via this CVE.

Does this affect SAP ABAP-only stacks?

Visual Composer is a Java-stack module. Pure ABAP stacks (no AS Java) are not directly exposed. Confirm by checking whether VCFRAMEWORK is listed in your components.

Can I just disable the Metadata Uploader without disabling all of Visual Composer?

The vendor Note does not document a sub-component disable for just the uploader. The supported options are: patch, or stop the whole tc~vc~webdynpro~core application. If you need a partial mitigation, restrict the path at the Web Dispatcher as described above.

References

• Official SAP Security Note 3594142: https://me.sap.com/notes/3594142
• SAP Security Patch Day index: https://url.sap/sapsecuritypatchday
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31324
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from SAP Security Note 3594142, the NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the SAP Note before applying changes in production.*