Unveiled Public Leak of Severe SAP NetWeaver Vulnerability

In a critical alert for corporate cybersecurity professionals, a vulnerability in SAP's NetWeaver Java Visual Composer, originally patched in April, is now being widely exploited. This revelation comes from the Pathlock research team, whose report is a must-read for anyone in the field, according to Frankie Sclafani, director of cybersecurity enablement at Deepwatch.

The affected products are hosted on NetWeaver, a web application. The vulnerability, identified as CVE-2025-31324, allows unauthenticated remote code execution via the platform's metadata uploader endpoint. This means that even script kiddies can leverage the source code, now widely available, to mount attacks.

Jonathan Stross, SAP Security Analyst at Pathlock, emphasises the ease with which the exploit can be executed, requiring only minutes to get running. To make matters worse, Pathlock has identified a related flaw, CVE-2025-42999, involving insecure deserialization, which has been chained with the uploader bug in attacks.

The public availability of the full source code makes the exploit easy for attackers with little technical expertise to use. In fact, the US Cybersecurity & Infrastructure Security Agency (CISA) has added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog.

SAP has addressed both issues in Security Notes 3594142 and 3604119. Nivedita Murthy, senior staff consultant at Black Duck, emphasises the critical nature of the vulnerability. To reduce risk, Pathlock advises immediate action, including applying SAP Security Notes, blocking/restricting access to the vulnerable endpoint, hunting for signs of compromise, isolating compromised nodes, preserving evidence, rotating credentials, and rebuilding from a clean baseline.

The vulnerability poses a serious risk due to its ability to allow attackers to laterally access other services without authentication and perform higher-level attacks. As of now, there are no publicly verified reports naming specific organisations that have deliberately exploited the SAP vulnerability CVE-2025-31324 since the exploit tooling was made publicly available.

The image credit for this article is from Michael Vi / Shutterstock.com. The vulnerability was patched in April 2025. Sclafani reiterates the serious risk of not patching SAP NetWeaver AS Java Visual Composer due to its addition to the Known Exploited Vulnerabilities (KEV) catalog.

In conclusion, it is imperative for organisations using SAP NetWeaver AS Java Visual Composer to prioritise patching and take immediate action to secure their systems against this critical vulnerability.