CVE-2025-31324: Critical SAP Vulnerability & How to Protect Your Enterprise

Sept. 10, 2025, 8:15 p.m.

Description

A critical remote code execution vulnerability (CVE-2025-31324) affects SAP NetWeaver Development Server, allowing attackers to upload malicious files through the metadatauploader endpoint. This vulnerability enables unauthenticated remote code execution, potentially leading to enterprise network compromise, data theft, and disruption of critical SAP processes. Active exploitation began in March 2025, with widespread attacks following the public release of an exploit script in August 2025. The vulnerability stems from improper validation of uploaded model files, allowing attackers to execute arbitrary code within the SAP NetWeaver server context. Protective measures include immediate patching, network monitoring, and restricting development server exposure to trusted networks.

External References

https://www.seqrite.com/blog/cve-2025-31324-sap-vulnerability-protection/
https://otx.alienvault.com/pulse/68c1d255ec99b294b7238365
Tags
exploit
vulnerability
remote code execution
auto-color
CVE-2025-31324
2025-09-10
netweaver
metadatauploader
sap

Date

  • Created: Sept. 10, 2025, 7:32 p.m.
  • Published: Sept. 10, 2025, 7:32 p.m.
  • Modified: Sept. 10, 2025, 8:15 p.m.

Indicators

  • 4d4f6ea7ebdc0fbf237a7e385885d51434fd2e115d6ea62baa218073729f5249
  • 0a866f60537e9decc2d32cbdc7e4dcef9c5929b84f1b26b776d9c2a307c7e36e
  • 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
  • 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
Download all indicators here!

Attack Patterns

  • Scattered LAPSUS$ Hunters - ShinyHunters

Additional Informations

  • Retail
  • Telecommunications
  • Manufacturing