CVE-2025-31324 Scanner

SAP NetWeaver is a technology platform for building and running SAP applications. It provides core capabilities such as application server support, integration tools, and data management. The NetWeaver Visual Composer is a tool for designing and configuring applications in the SAP ecosystem, helping users create and manage business workflows and processes. SAP NetWeaver Visual Composer is used in large enterprise environments, typically supporting mission-critical applications. Its ability to integrate with various SAP modules and third-party systems makes it an essential part of many SAP-driven business infrastructures. However, vulnerabilities in the platform could have serious consequences for system security and stability.

The SAP NetWeaver Visual Composer Metadata Uploader is vulnerable to a deserialization attack due to a lack of proper authorization. The flaw allows unauthenticated attackers to upload potentially malicious executable files (ZIP files) containing serialized data that can trigger remote code execution (RCE) when unpacked by the target server. This vulnerability can result in severe consequences, including unauthorized access to the server, the ability to execute arbitrary code, and the compromise of sensitive data. The issue primarily affects users of SAP NetWeaver prior to the latest security patch, exposing systems to significant risk.

The vulnerability occurs in the Metadata Uploader feature of SAP NetWeaver Visual Composer. When an unauthenticated agent uploads a ZIP file containing malicious serialized data, it is unpacked by the server without proper validation or authorization. This enables the attacker to execute arbitrary code stored within the uploaded file. This is a classic example of a deserialization vulnerability, where malicious input in the form of serialized data can be processed by the application, allowing an attacker to trigger harmful actions, such as executing arbitrary commands or gaining unauthorized access to system resources.

If exploited, this vulnerability could allow attackers to execute arbitrary code on the SAP NetWeaver server, leading to a full compromise of the system. Attackers could gain unauthorized access to critical data, manipulate the configuration, and escalate their privileges. Given the high severity of this flaw, its exploitation could result in the loss of data confidentiality, integrity, and availability, disrupting critical business operations. This could also lead to a complete system takeover, further enabling the attacker to propagate the attack to other parts of the network or environment.

REFERENCES

• https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
• https://www.theregister.com/2025/04/25/sap_netweaver_patch/
• https://me.sap.com/notes/3594142
• https://url.sap/sapsecuritypatchday