Pathlock Research: CVE-2025-31324 Now Exploitable at Scale 

In April 2025, SAP addressed a critical vulnerability in SAP NetWeaver AS Java Visual Composer known as CVE-2025-31324. This flaw allows unauthenticated remote code execution through the Visual Composer “metadata uploader” endpoint.

Shortly after the patch, proof-of-concept exploit code was leaked publicly.

Now, full exploit tooling has been dropped openly. With the source code now widely available, even script kiddies can leverage it. The exploit is simple to execute, requiring only minutes to get running, and with AI tools like GPT, even non-tech-savvy individuals could cause critical damage to organizations that remain unpatched.

In this research, we reverse-engineered the source code and provide recommendations to organizations and the SAP security community on how to protect against this threat.

For Leaders

CVE-2025-31324 is a critical unauthenticated file-upload flaw in the Visual Composer Metadata Uploader (SAP NetWeaver Java). It is being actively exploited. SAP has shipped fixes under Security Note 3594142 (for CVE-2025-31324) and a related corrective note 3604119 (for CVE-2025-42999, insecure deserialization) that attackers have combined with the upload path. Prioritize patching, reducing exposure, and hunting now.

A High-Level Perspective on CVE-2025-31324

Vulnerability

Missing authorization in the Visual Composer Metadata Uploader allows unauthenticated uploads of attacker‑controlled content, enabling remote code execution (RCE). (CWE‑434)*

Severity

SAP/CNA attributes CVSS 10.0; NVD attributes CVSS 9.8 – treat as critical either way.

Active Exploitation and Public exploit

CISA added CVE‑2025‑31324 to the Known Exploited Vulnerabilities (KEV) catalog. A public exploit has been widely cataloged by vx‑underground (see “Where the public code is” at the end). *We do not reproduce exploit code.*

Related issue

SAP released Note 3604119 covering CVE‑2025‑42999 (insecure deserialization) in the same area; apply both notes.

The threat affects organizations running SAP NetWeaver (Java) systems where Visual Composer (EP‑VC‑INF) is present and reachable. If the Visual Composer development server is deployed, the system is exposed to potential attacks until patched and properly restricted.

Why This Matters

Privilege and blast radius: Successful exploitation generally yields execution with the SAP Java service account, enabling lateral movement into portals, identity, and connected systems.

Observed outcomes: Public reporting ties exploitation to classic web‑shell drops and post‑compromise persistence; in some cases, Linux backdoors were observed after initial access.

Exploit accessibility: Widely shared PoCs lower the barrier for opportunistic attackers.

What Pathlock Recommends?

1. Apply Patches

Apply SAP Security Note 3594142 (CVE‑2025‑31324) and SAP Security Note 3604119 (CVE‑2025‑42999). Validate fixes on all Java instances and cluster nodes.

2. Reduce exposure

Restrict or block `/developmentserver/metadatauploader` at SAP Web Dispatcher/ICM/WAF; do not expose developer/administrative endpoints to the internet. If Visual Composer is not required, disable it.

3. Assume‑breach hunting (retrospective + forward)

• HTTP/ICM logs: Hunt for `POST /developmentserver/metadatauploader` with `application/octet-stream` or multipart bodies.
• IRJ servlet paths: Triage `…/irj/servlet_jsp/irj/root/` for unexpected `.jsp`/`.class` files and timestamp anomalies.
• Process/host telemetry: SAPJVM‑spawned shells or compression utilities; anomalous outbound connections.
• SIEM content: Add rules for suspicious uploads and new files under IRJ paths; ingest `defaultTrace`, Web Dispatcher, and ICM logs.

4. If compromise is suspected

Isolate affected nodes, preserve evidence (ICM/Web Dispatcher logs, `defaultTrace`, process lists, file hashes), rotate service credentials/SSO, and rebuild to a known‑good baseline after patching before reconnecting.

References (primary & reputable)

• SAP Security Patch Day May 2025 lists Note 3594142 and updates (and provides patching context for 3604119).   
• NVD: CVE‑2025‑31324 description and scoring (SAP CNA 10.0, NVD 9.8).   
• CISA KEV inclusion confirms active exploitation.   
• Microsoft Defender/Microsoft Security investigation and hunting guidance referencing the uploader path. 
• Independent media and threat intel coverage of exploitation waves and post‑exploitation tooling. 

Your Pathlock engagement team can supply direct links and a 24‑hour response checklist tailored to your Web Dispatcher/ICM topology and SIEM tooling on request.

Technical Walkthrough (for SAP security engineers)

High‑level exploit flow

Pre‑auth POST to `/developmentserver/metadatauploader` can cause server‑side processing of attacker‑controlled content due to missing authorization.   

In some chains, attackers rely on **insecure deserialization (CVE‑2025‑42999) to reach command execution; others drop web‑shells under IRJ paths. 

What Pathlock analyzed in the public exploit

Pathlock analyzed a publicly circulating exploit script and observed that it constructs a ZIP with a single `.properties` entry containing serialized bytes, then POSTs that archive to the Visual Composer uploader. It uses explicit string‑matching heuristics to infer success and optionally attempts persistence via an IRJ JSP write. Non‑sensitive identifiers from the analyzed code include (for detection and hunting only):

“`python

# Endpoint and response heuristics seen in the public exploit

url = TARGET + “/developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1”

if “Cause – Getter getOutputProperties” in response.text:

print(“[+] Exploit should be success!”)

elif “local class serialVersionUID = -7308740002576184038” in response.text:

# heuristic for NetWeaver 7.5 handling

…

# Optional JSP persistence target (IRJ servlet path)

fileName = “../apps/sap.com/irj/servlet_jsp/irj/root/” + SHELL_NAME

“`

Where the public script can be found (for defenders)

https://t.co/rCLwMHpY0w

and the vx‑underground CVE archive index. Access strictly for authorized, controlled defensive analysis.

Logs, endpoints, and queries to monitor

• Endpoints:`POST /developmentserver/metadatauploader` (often with `?CONTENTTYPE=MODEL&CLIENT=1`).
• Web/ICM logs: Filter for that path with `application/octet-stream` or multipart bodies; review 200 responses with unusual sizes or the server string noted above.
• File system: IRJ servlet directories (`…/irj/servlet_jsp/irj/root/`) for unexpected `.jsp`/`.class` files; hash and quarantine suspicious artifacts.
• Process telemetry: SAPJVM spawning `cmd.exe /c` or `/bin/sh -c`; outbound beacons from SAP hosts.
• SIEM: Correlate suspicious uploads + new files in IRJ paths; ingest `defaultTrace`, Web Dispatcher, and ICM logs.

Remediation verification checklist

• Confirm Notes 3594142 & 3604119 applied on every node; restart affected apps/services where required.
• Validate edge devices block external access to `/developmentserver/metadatauploader`.
• Post‑patch, repeat hunts to ensure no persistence remains (web‑shells, scheduled tasks, rogue services).

Prepared by Pathlock Research, for Pathlock customers and the SAP security community.