Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324


On Thursday, April 24, enterprise resource planning company SAP published a CVE (and a day later, an advisory behind login) for CVE-2025-31324, a zero-day vulnerability in NetWeaver Visual Composer that carries a CVSSv3 score of 10. The vulnerability arises from a missing authorization check in Visual Composer’s Metadata Uploader component that, when successfully exploited, allows unauthenticated attackers to send specially crafted POST requests to the `/developmentserver/metadatauploader` endpoint, resulting in unrestricted malicious file upload.

While the vulnerable component is not installed in NetWeaver’s default configuration, SAP security firm Onapsis notes that it is widely enabled.

Per SAP’s docs, Visual Composer “operates on top of the SAP NetWeaver Portal, utilizing the portal’s connector-framework interfaces to enable access to a range of data services, including SAP and third-party enterprise systems. In addition to accessing SAP Business Suite systems, users can access SAP NetWeaver Business Warehouse and any open/JDBC stored procedures.”

## Rapid7-observed exploitation

CVE-2025-31324 is being actively exploited in the wild; Rapid7 MDR has observed exploitation in multiple customer environments dating back to at least March 27, 2025, nearly all of which has targeted manufacturing companies. Adversaries have exploited the vulnerability to drop webshells in the following directory: `j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/`

Public threat intelligence on CVE-2025-31324 exploitation has highlighted the use of webshells named `helper.jsp` and `cache.jsp`. With few exceptions (like `helper.jsp`), most webshells Rapid7 has observed had random 8-character names, e.g.:
`cglswdjp.jsp`
`ijoatvey.jsp`
`dkqgcoxe.jsp`
`ylgxcsem.jsp`
`cpyjljgo.jsp`
`tgmzqnty.jsp`

Rapid7 has not attributed this activity to a specific threat actor at time of writing.

## Mitigation guidance

**All** SAP NetWeaver 7.xx versions and service packs (SPS) are affected.

SAP’s non-public guidance indicates that customers can check system info (http://host:port/nwa/sysinfo) for the Software Component VISUAL COMPOSER FRAMEWORK (`VCFRAMEWORK.SCA`). If this check returns no results, SAP has said the vulnerability is “not relevant for that system.”

Customers should update to the latest version of NetWeaver AS on an emergency basis, without waiting for a regular patch cycle to occur. **Note that updating to a fixed version of NetWeaver will not address pre-existing compromises.** Customers who are unable to update to a fixed version of the application should disable Visual Composer by following SAP’s directions here.

Customers should also restrict access to the affected endpoint (`/developmentserver/metadatauploader`) and investigate their environments for signs of compromise. SAP’s non-public advisory notes that the “most common targets for an attacking agent” are the following paths under the JAVA server file system — `jsp`, `java`, or `class` files present directly in these paths should be considered malicious: `C:\usr\sap\\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root` `C:\usr\sap\\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work` `C:\usr\sap\\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync`

For additional information and the latest guidance, please refer to SAP’s non-public materials or contact SAP support.

## Rapid7 customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage.

For InsightVM and Nexpose customers, our vulnerability coverage engineering team is investigating options to help customers assess exposure to this threat. We will update this blog no later than 3 PM ET on Monday, April 28 with additional information and delivery timelines.