Full Report
SAP has released out-of-band patch to address CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver that has been exploited by threat actors. Organizations are strongly encouraged to apply patches as soon as possible.BackgroundOn April 22, ReliaQuest published details of their investigation of exploit activity in SAP NetWeaver servers. Initially it was unclear if their discovery was a new vulnerability or the abuse of CVE-2017-9844, a vulnerability that could lead to a denial-of-service (DoS) condition or arbitrary code execution. ReliaQuest reported their findings to SAP and on April 24, SAP disclosed CVE-2025-31324, a critical missing authorization check vulnerability with the highest severity CVSS score of 10.0.CVEDescriptionCVSSv3VPRCVE-2025-31324SAP NetWeaver Unauthenticated File Upload Vulnerability10.08.1*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 25 and reflects VPR at that time.AnalysisCVE-2025-31324 is an unauthenticated file upload vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. The flaw is the result of missing authorization checks to the “/developmentserver/metadatauploader” endpoint. According to ReliaQuest, this vulnerability has been exploited in the wild as a zero-day by threat actors who have abused the flaw to upload malicious web shells to affected hosts. These webshells were used to deploy malware and establish communications with command and control (C2) servers.Proof of conceptAt the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-31324. If a public PoC exploit becomes available, we anticipate a variety of attackers will attempt to leverage this flaw in their attacks as SAP products are widely used by a variety of organizations, including government agencies.SolutionSAP has released patches for affected versions of SAP NetWeaver. At this time, the SAP security note #3594142 is not publicly accessible, so we are unable to provide a list of affected and patched versions. It is important to note that these patches were released after SAP’s April 2025 Security Patch Day published on April 8. So even if those patches were applied, you will still need to apply the out-of-band patches released for CVE-2025-31324.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-31324 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running SAP NetWeaver by using the following filters:Get more informationReliaQuest Blog: ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaverSAP Security Patch Day - April 2025Join Tenable's Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Zero-Day Vulnerability in SAP NetWeaver Being Exploited (CVE-2025-31324)
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: Not explicitly stated in the provided text, but described as a "Critical Vulnerability".
- CWE: Not specified.
## Affected Systems
- Products: SAP NetWeaver
- Versions: Specific vulnerable versions are not detailed, but the vulnerability is present even if prior patches were applied, necessitating an out-of-band patch.
- Configurations: Unknown.
## Vulnerability Description
The text indicates CVE-2025-31324 is a zero-day vulnerability within SAP NetWeaver that has already been targeted and exploited in the wild. Further detailed technical explanation of the flaw mechanism is not present, only its impact and urgent need for remediation.
## Exploitation
- Status: Exploited in the wild
- Complexity: Not explicitly stated, but exploitation in the wild suggests moderate to high complexity or severity necessitates immediate action.
- Attack Vector: Unknown based solely on the provided snippet.
## Impact
- Confidentiality: Unknown
- Integrity: Unknown
- Availability: Unknown
***Note: The snippet focuses heavily on the urgency and patch requirement, not detailed impact metrics.***
## Remediation
### Patches
- **Mandatory Out-of-Band Patches:** Users must apply the out-of-band patches specifically released for CVE-2025-31324. Applying general previous patches is insufficient.
- These patches correspond to the **SAP Security Patch Day - April 2025**.
### Workarounds
- No specific workarounds are detailed in this summary source.
## Detection
- **Detection Plugins:** Tenable plugins for this vulnerability are available on the individual CVE page for CVE-2025-31324 on Tenable's site (link defanged below).
- **Identification Tool:** Customers can use **Tenable Attack Surface Management** to discover public-facing SAP NetWeaver assets using relevant filters.
## References
- Vendor Advisories: [SAP Security Patch Day - April 2025](https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html)
- Relevant Links:
- [Tenable CVE Page for CVE-2025-31324](https://www.tenable.com/cve/CVE-2025-31324/plugins)
- [ReliaQuest Blog regarding the vulnerability](https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/)