A new critical authentication bypass vulnerability impacting the platform SAP NetWeaver from SAP has been reported. It has been assigned the reference CVE-2025-31324 and a CVSS 3.1 score of 10.
This flaw impacts the following version of the application: NetWeaver (Visual Composer development server) VCFRAMEWORK 7.50 without the latest security patch. It should be noted that it is actively exploited and the technical details allowing an attacker to exploit this vulnerability are public and ongoing exploitation attempts have been detected
Initial vector attack of the SAP vulnerability
The vulnerability allows an unauthenticated attacker to upload arbitrary files and remotely execute them on the SAP server. Ongoing attacks make use of malicious payloads generated with Brute Ratel during the exploitation of this vulnerability.
Technical details of the SAP vulnerability
A POST request specifically crafted sent to the endpoint /developmentserver/metadatauploader of the SAP solution allows to bypass the authentication mechanism and upload a file with arbitraty content to the server. In the detected attacks, it was a JSP webshell that allowed the attacked to take control of the platform.
Attack modelling with MITRE ATT&CK
MITRE ATT&CK
- T1190 (Exploit Public-Facing Application)
How to protect against the SAP vulnerability with Stormshield Network Security
Protection against CVE-2025-31324
Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2025-31324 with the following IPS signature:
- http:client.107: Exploitation of a SAP NetWeaver file upload vulnerability (CVE-2025-31324)
For this protection to be efficient, the traffic must be decrypted.
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the SAP vulnerability
It is highly recommended to update the SAP Business Objects Business Intelligence Platform to the latest version.
The official bulletin is available here but requires an authentication.
