Critical SAP NetWeaver Exploit Now Publicly Available
▼ Summary
– A critical vulnerability (CVE-2025-31324) in SAP NetWeaver AS Java Visual Composer allows unauthenticated remote code execution and is now being widely exploited.
– Public exploit tooling has been released, making the vulnerability easy to use even for attackers with minimal technical expertise.
– CISA has added this flaw to its Known Exploited Vulnerabilities catalog, and it has received CVSS scores of 10.0 and 9.8, indicating top severity.
– A related flaw (CVE-2025-42999) involving insecure deserialization has been chained with the uploader bug in active attacks.
– Organizations are advised to immediately apply SAP Security Notes 3594142 and 3604119, block the vulnerable endpoint, and hunt for signs of compromise.
A critical vulnerability within SAP NetWeaver AS Java Visual Composer is now actively exploited in the wild, posing a severe threat to organizations that have not yet applied available patches. Identified as CVE-2025-31324, this flaw enables unauthenticated attackers to execute arbitrary code remotely through the platform’s metadata uploader. The recent public release of full exploit source code has dramatically lowered the barrier to entry, allowing even low-skilled threat actors to weaponize the vulnerability with minimal effort.
Security experts warn that the simplicity of the attack means it can be deployed in minutes. Jonathan Stross, an SAP security analyst, emphasized that with the help of AI-assisted tools, inexperienced hackers can inflict serious harm on unpatched systems. The U.S. Cybersecurity and Infrastructure Security Agency has officially listed the flaw in its Known Exploited Vulnerabilities catalog, underscoring the immediacy of the risk.
SAP originally released patches in April 2025, but many organizations remain exposed. The vulnerability has received a near-maximum severity rating from both SAP and the National Vulnerability Database, reflecting its potential for widespread impact. According to Frankie Sclafani, a cybersecurity director, this is not a theoretical concern, real attacks are already underway, targeting enterprises that have delayed updates.
In addition to CVE-2025-31324, researchers have flagged a related deserialization flaw, CVE-2025-42999, which attackers are chaining with the metadata uploader bug to escalate privileges and move laterally across networks. Both issues were addressed in SAP Security Notes 3594142 and 3604119.
To mitigate risk, organizations are urged to apply these patches immediately across all Java instances. It is also recommended to block or restrict access to the /developmentserver/metadatauploader endpoint and proactively monitor for signs of intrusion through HTTP logs and SIEM alerts. If a system is compromised, experts advise isolating affected nodes, rotating credentials, and rebuilding from a clean backup.
Nivedita Murthy, a senior consultant, highlighted that because NetWeaver often serves as a foundational web application hosting other services, a successful exploit could allow unauthorized lateral movement and more destructive attacks. Timely action is essential to prevent cascading security failures.
(Source: InfoSecurity Magazine)
