CVE-2025-31324

April 24, 2025, 5:15 p.m.

10.0
Critical

Description

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Product(s) Impacted

Vendor Product Versions
Sap
  • Sap Netweaver Visual Composer
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a sap sap_netweaver_visual_composer / / / / / / / /

References

https://me.sap.com/notes/3594142
https://url.sap/sapsecuritypatchday

Tags

CWE-434
cna@sap.com
2025-04-24
CVE-2025-31324

CVSS Score

10.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: April 24, 2025, 5:15 p.m.
Last Modified: April 24, 2025, 5:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@sap.com

Linked Attack Reports

Threat Brief: CVE-2025-31324

CVE-2025-31324 is a critical vulnerability residing in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK). While not installed by default, business analysts commonly use this component to create applications without coding, making it widely present in SAP deployment…
alliance
april
sha256 hash
sap netweaver
2025-05-12
http
ipv4 address
attempted get
suspected web
hosting
cve202531324
goreverse
visual composer
test
Published: May 12, 2025
Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 44

China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures

A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.
apt
sliver
webshell
china-nexus
vshell
snowlight
sap netweaver
azure ad
cve202531324
2025-05-14
unc5174
clsta0048
sta-0048
krustyloader
Published: May 14, 2025
Linked vulnerabilities : CVE-2024-8963 (CVSS 9.1), CVE-2024-9379 (CVSS 7.2), CVE-2024-9380 (CVSS 7.2), CVE-2024-9381 (CVSS 7.2), CVE-2024-21887, CVE-2023-46805, CVE-2024-1709, CVE-2023-46747, CVE-2024-36401, CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 61

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…
obfuscation
phishing
infostealer
anti-analysis
credential theft
autoit
information stealing
2025-05-14
multi-stage payload
darkcloud stealer
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 4

China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability

A critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited by a China-nexus threat actor, UNC5221. The exploitation targets internet-facing EPMM deployments across various sectors including healthcare, telecommunications, and government. The attackers utilize unau…
ivanti
sliver
data exfiltration
china-nexus
auto-color
2025-05-21
krustyloader
frp
unauthenticated rce
epmm
CVE-2025-4427
CVE-2025-4428
Published: May 21, 2025
Linked vulnerabilities : CVE-2025-22457 (CVSS 9.0), CVE-2025-31324 (CVSS 10.0), CVE-2025-4428, CVE-2025-4427
Downloadable IOCs: 12

Custom Arsenal Developed to Target Multiple Industries

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and Bypass…
backdoor
apt
sql injection
cobalt strike
dll sideloading
vulnerability exploitation
brute ratel
multi-industry targeting
CVE-2024-9047
CVE-2024-51378
CVE-2024-51567
china-nexus
CVE-2024-56145
vshell
CVE-2025-31324
2025-05-27
CVE-2021-22205
CVE-2024-27199
CVE-2024-27198
CVE-2017-9805
pulsepack
bypassboss
custom tools
Published: May 27, 2025
Linked vulnerabilities : CVE-2024-9047 (CVSS 9.8), CVE-2024-51378 (CVSS 10.0), CVE-2024-51567 (CVSS 10.0), CVE-2024-56145, CVE-2025-31324 (CVSS 10.0), CVE-2017-9805, CVE-2024-27199, CVE-2024-27198, CVE-2021-22205
Downloadable IOCs: 185

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.