Unauthenticated File Upload in SAP NetWeaver

Published on 17-Apr-2025
Updated:
10-Dec-2025
Status:
 
Closed
CVEs:
CVE-2025-31324

Fortra is actively researching a vulnerability impacting SAP NetWeaver: CVE-2025-31324: CVSS 3.1: 10.

SAP NetWeaver Visual Composer contains an unauthenticated file upload in the /developmentserver/metadatauploader endpoint. A malicious actor could upload JSP-based web shells to the servlet_jsp/irj/root path.

Who is affected?

SAP NetWeaver Visual Composer is affected by CVE-2025-31324.

SAP has limited access to this advisory, and we are unaware of which platforms are impacted. If you are an SAP customer, see https://me.sap.com/notes/3594142 for more information.

What can I do?

For SAP's solution to this vulnerability and any potential mitigations they may have shared, SAP customers can log in and view the vulnerability note at https://me.sap.com/notes/3594142.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities.

  • FusionVM: Fortra has added an unauthenticated network check to the FusionVM scanner on April 29, 2025, for EID=307042.

  • Alert Logic IDS: Released two IDS signatures for CVE-2025-31324 SAP NetWeaver Arbitrary File Upload: one signature detects the initial upload attempt, and the other targets the currently-known post-compromise follow-up request to an uploaded file. For the post-compromise rule, SAP (according to a non-public advisory) has indicated that the presence of .java and .class files may indicate exploitation, so these file types are now included in detection. However, requests to these file types are less common; post-compromise activity will most likely target uploaded JSP shells.

    IMPORTANT: At this time, it remains unclear whether the upload will contain a malicious file directly or a ZIP file with compressed, serialized data. The initial attack rule covers both scenarios (i.e., direct file upload or a ZIP file referencing a malicious filename), and the post-compromise rule does not depend on the specific attack method.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. We will update this article with new information about this vulnerability and related security coverage as it becomes available.

  • 04/28/2025: Released two IDS signatures for CVE-2025-31324 SAP NetWeaver Arbitrary File Upload: one for detecting initial upload attempts and another for post-compromise activity, with expanded detection for .java and .class files based on SAP guidance. The initial rule covers both direct malicious uploads and ZIP-based attacks.
  • 04/29/2025: Fortra added a network check to FusionVM.
Recent Emerging Threats
:
React Server Component Remote Code Execution Vulnerability
:
FortiWeb UI Path Traversal Vulnerability
:
Oracle Concurrent Processing
:
Cisco ASA and FTD - Zero Day
:
Sitecore ViewState Deserialization Vulnerability
Security Alerts in Your Inbox. We will watch for emerging threats; you can watch for our email.