CVE-2025-31324
SAP NetWeaver Unrestricted File Upload Vulnerability
Severity Score
10.0
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
17
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
Act
*SSVC
Descriptions
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Act
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-03-27 CVE Reserved
- 2025-04-24 CVE Published
- 2025-04-25 First Exploit
- 2025-04-29 Exploited in Wild
- 2025-05-02 CVE Updated
- 2025-05-20 KEV Due Date
- 2025-06-19 EPSS Updated
CWE
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (19)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| SAP SE Search vendor "SAP SE" | SAP NetWeaver (Visual Composer Development Server) Search vendor "SAP SE" for product "SAP NetWeaver (Visual Composer Development Server)" | 7.50 Search vendor "SAP SE" for product "SAP NetWeaver (Visual Composer Development Server)" and version "7.50" | en |
Affected
| ||||||