Description

The Metadata Uploader component of SAP NetWeaver Visual Composer improperly validates user authorization, allowing unauthenticated attackers to upload arbitrary files to the server. This vulnerability can be exploited to achieve remote code execution (RCE), leading to full system compromise.

Remediation

Upgrade to the latest version of SAP Visual Composer

References

SAP Security Patch Day - April 2025

Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild

Related Vulnerabilities

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-8129)

Oracle JRE CVE-2012-3159 Vulnerability (CVE-2012-3159)

PHP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-10547)

WordPress Plugin WooCommerce Catalog Enquiry Arbitrary File Upload (3.0.0)

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9735)

Severity

Critical

Classification

CVE-2025-31324 CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Unauthenticated File Upload Known Vulnerabilities