Description

The Metadata Uploader component of SAP NetWeaver Visual Composer improperly validates user authorization, allowing unauthenticated attackers to upload arbitrary files to the server. This vulnerability can be exploited to achieve remote code execution (RCE), leading to full system compromise.

Remediation

Upgrade to the latest version of SAP Visual Composer

References

SAP Security Patch Day - April 2025

Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild

Related Vulnerabilities

XWiki Missing Authorization Vulnerability (CVE-2022-41937)

WordPress Plugin Imagements Arbitrary File Upload (1.2.5)

MySQL CVE-2011-2262 Vulnerability (CVE-2011-2262)

phpMyAdmin Improper Input Validation Vulnerability (CVE-2016-9858)

Jboss EAP Other Vulnerability (CVE-2023-3628)

Severity

Critical

Classification

CVE-2025-31324 CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Unauthenticated File Upload Known Vulnerabilities