What's Happening?
A critical vulnerability in SAP NetWeaver AS Java Visual Composer, identified as CVE-2025-31324, is being actively exploited following the release of public exploit tooling. This flaw, which was patched in April 2025, allows unauthenticated remote code execution through the platform’s metadata uploader endpoint. The public availability of the exploit's full source code has made it accessible even to attackers with minimal technical expertise. The US Cybersecurity & Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, underscoring its severity. The flaw has received a CVSS score of 10.0 from SAP’s CNA and 9.8 from NVD, marking it as a top-priority threat.
AD
Why It's Important?
The widespread exploitation of this vulnerability poses significant risks to organizations using SAP NetWeaver. With the exploit now publicly available, even inexperienced hackers can potentially cause critical damage to unpatched systems. This situation highlights the urgent need for organizations to apply security patches and take preventive measures to protect their systems. The vulnerability allows attackers to access other services without authentication, potentially leading to higher-level attacks. Organizations that fail to address this flaw may face severe security breaches, impacting their operations and data integrity.
What's Next?
Organizations are advised to apply SAP Security Notes 3594142 and 3604119 across all Java instances to mitigate the risk. They should also block or restrict access to the vulnerable endpoint and monitor for signs of compromise using HTTP logs and SIEM alerts. In case of a breach, affected nodes should be isolated, evidence preserved, credentials rotated, and systems rebuilt from a clean baseline. These steps are crucial to prevent further exploitation and secure corporate networks against potential attacks.
