Mastodon

A new critical authentication bypass vulnerability impacting the platform SAP NetWeaver from SAP has been reported. It has been assigned the reference CVE-2025-31324 and a CVSS 3.1 score of 10.

This flaw impacts the following version of the application: NetWeaver (Visual Composer development server) VCFRAMEWORK 7.50 without the latest security patch. It should be noted that it is actively exploited and the technical details allowing an attacker to exploit this vulnerability are public and ongoing exploitation attempts have been detected

 

Initial vector attack of the SAP vulnerability

The vulnerability allows an unauthenticated attacker to upload arbitrary files and remotely execute them on the SAP server. Ongoing attacks make use of malicious payloads generated with Brute Ratel during the exploitation of this vulnerability.

 

Technical details of the SAP vulnerability

A POST request specifically crafted sent to the endpoint /developmentserver/metadatauploader of the SAP solution allows to bypass the authentication mechanism and upload a file with arbitraty content to the server. In the detected attacks, it was a JSP webshell that allowed the attacked to take control of the platform.

 

Attack modelling with MITRE ATT&CK

MITRE ATT&CK

  • T1190 (Exploit Public-Facing Application)

 

How to protect against the SAP vulnerability with Stormshield Network Security

Protection against CVE-2025-31324

Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2025-31324 with the following IPS signature:

  • http:client.107: Exploitation of a SAP NetWeaver file upload vulnerability (CVE-2025-31324)

For this protection to be efficient, the traffic must be decrypted.

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations regarding the SAP vulnerability

It is highly recommended to update the SAP Business Objects Business Intelligence Platform to the latest version.

The official bulletin is available here but requires an authentication.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.