![Pathlock CEO Piyush Pandey on Reshaping Application Access Governance: Insights from KuppingerCole Reports](https://pathlock.com/wp-content/uploads/2023/08/KC_Report_Piyush_insights-112x112.jpg")
![Pathlock Reshapes the Access Governance Market with a Series of Strategic Mergers](https://pathlock.com/wp-content/uploads/2022/05/MicrosoftTeams-image-7-112x112.png")
SAP Issues Urgent Warning and requires immediate action on Critical CVE-2025-31324 Vulnerability in SAP NetWeaver Visual Composer
With vulnerability CVE-2025-31324, SAP addresses a severe flaw in the Visual Composer (VCFRAMEWORK) of the SAP NetWeaver Application Server Java — so critical that an out-of-band security patch was issued, a step SAP takes only in exceptional cases.
CVE-2025-31324 Vulnerability Overview
According to the NVD database, the flaw stems from missing authentication checks in the MetadataUploader service:
- Attackers can upload arbitrary files, including potentially malicious JSP files or other payloads.
- Risk of Remote Code Execution (RCE) — full system compromise is possible.
- Primarily affects installations of Visual Composer version 7.50.
The severity is reflected in a CVSS score of 9.8 — the highest rating possible, emphasizing the urgency.
SAP Raises the Alarm
SAP itself has issued an unusually strong warning: the discovery of unknown files in the system may Knowledge Base Article 359333
/usr/sap/<SID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
The message is clear: Immediate action is mandatory to prevent uncontrolled exploitation.
SAP recommends:
- Install Patch 3594142 immediately.
- If Visual Composer is not needed: deactivate the service or
- Block access via firewall, ICM filters, or network segmentation.
Crucially, even after applying the patch, systems must be carefully reviewed for signs of compromise -SAP’s FAQ (SAP 3593336) provides specific guidance on what to look for.
Plan of Action for Security Teams
Immediate actions to take:
- Apply SAP Security Note 3594142.
- Block external access to
/developmentserver/metadatauploader(Firewall/WAF). - Optionally: Disable Visual Composer if not in use.
- Perform a forensic review for unexpected files or anomalies — guided by SAP’s indicators.
Why SAP’s Warning is Serious?
Several factors confirm the urgency of this situation:
- SAP issued an out-of-band patch — a rare and serious move.
- Active exploitation is already occurring (confirmed by SAP)
- SAP provides unusually specific advice on where to look for evidence of compromise.
SAP is leaving no room for doubt this time.
Those who act quickly can still neutralize the severe risks posed by this vulnerability.
