Exploit for CVE-2025-31324

# Vulnerability and Indicator of Compromise (IoC) Scanner for CVE-2025-31324 (Visual Composer Metadata Uploader Vulnerability)

[CVE-2025-31324](https://www.google.com/url?q=https://nvd.nist.gov/vuln/detail/CVE-2025-31324&sa=D&source=editors&ust=1745779568690662&usg=AOvVaw1IqVqaCZ9oGfB2iCSZIYC4) is a critical (CVSSv3 10) vulnerability affecting SAP NetWeaver systems, specifically within the Visual Composer Metadata Uploader component. This vulnerability allows unauthenticated attackers to upload arbitrary files to the system, leading to potential remote code execution and complete system compromise.

Recognizing the critical nature of this vulnerability, and observing evidence of active exploitation both by Onapsis Threat Intelligence and reported by multiple IR firms and security researchers, Onapsis developed and is releasing this open-source tool to assist SAP customers. Our goal is to empower information security and SAP administration teams to rapidly assess exposure and evaluate whether their systems could have been targeted or compromised. The Visual Composer/Metadata Uploader component is often present in SAP Java NetWeaver, increasing the risk of unmonitored attack surfaces in enterprise environments.

We will continue to enhance this tool as additional threat intelligence and forensic insights are gathered by our products, research team, and the broader cybersecurity community.

> [!IMPORTANT]
> LICENSE INFORMATION: This tool is released under the Apache 2.0 open source license. Please see bundled license information.
> DISCLAIMER: This tool is a contribution to the security, incident response, and SAP communities to aid in response to active exploitation of CVE-2025-31324. This tool is under development and will continue to iterate rapidly as more information becomes available either from Onapsis Research Labs or publicly. This is a best-effort development and offered as-is with no warranty or liability.

This tool can:

* Identify SAP NetWeaver Java systems potentially vulnerable to CVE-2025-31324.
* Identify presence of specific IOC artifacts.

## Tool Output
python3 Onapsis-Scanner-CVE-2025-31324.py sapserver 50000
[CRITICAL] SAP System at http://sapserver:50000/developmentserver/metadatauploader appears to be vulnerable to CVE-2025-31324.
[CRITICAL] Known webshell found at: http://sapserver:50000/irj/helper.jsp


This tool is offered “as is” and without warranty.

## Installation and Prerequisites

The scripts are developed in Python 3 and require you to install the following dependencies:

python3 -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt

## Usage

Once you install the dependencies, you can use Python to run the scripts and get Help from the command line.

### Vulnerability Scanning

\# Syntax: python3 \.py \ \ \

`python3 metadata_uploader_scanner.py example.sap.com 443 true`

\ — Target SAP NetWeaver system (e.g., example.sap.com)

\ — Port number (typically 443 for SSL/TLS connections)

\ — Set to true if SSL/TLS is used, or false for plain HTTP

## Additional Resources

For additional information about the SAP Visual Composer vulnerability, the potential business impact, the affected versions and other data points, please review the SAP Visual Composer [Threat Report](https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/) and the following information:

For more information about how Onapsis can help your enterprise identify and address this vulnerability in your environment contact [email protected]