Active Exploitation of SAP's NetWeaver Visual Composer Metadata Uploader

SAP has released an out-of-band security update to address a critical vulnerability in their NetWeaver Visual Composer Metadata Uploader product (CVE-2025-31324). The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10 and is reportedly being actively exploited.

Successful exploitation of the vulnerability could allow unauthenticated attacker to upload malicious executable files, potentially leading to remote code execution (RCE).

The vulnerability affects the Visual Composer Framework 7.50. To check if you are vulnerable, you can test if the following URL is accessible without authentication: https://[your-sap-server]/developmentserver/metadatauploader. If you can access this page without being prompted for your credentials, your system may be vulnerable.

Users and administrators of the affected product version are advised to update to the latest version immediately. If unable to do so, users and administrators are advised to perform the following mitigations:

• Restrict access to the /developmentserver/metadatauploader endpoint.

• If Visual Composer is not in use, consider turning it off entirely.

• Forward logs to SIEM and scan for unauthorized files in the servlet path.

More information is available here:

https://me.sap.com/notes/3594142

https://nvd.nist.gov/vuln/detail/CVE-2025-31324

https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324-fixed-actively-exploited-in-the-wild/

https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/