In April 2025, SAP patched a critical vulnerability in NetWeaver AS Java Visual Composer. The flaw, tracked as CVE-2025-31324, allows unauthenticated remote code execution through the Visual Composer “metadata uploader” endpoint. Within weeks, proof-of-concept code appeared in public forums.
Now, the exploit is no longer theoretical. Full tooling has been released. Source code is out in the open, easy to download and run. It takes little skill to weaponize. With AI assistance, even non-specialists can cause damage to systems that remain unpatched.
Pathlock researchers examined the leaked exploit code. Their analysis confirms that the attack chain is simple. An attacker can upload crafted files through the vulnerable endpoint. In some cases, exploitation is paired with CVE-2025-42999, an insecure deserialization flaw, to achieve reliable execution. Both vulnerabilities are now patched by SAP under Notes 3594142 and 3604119.
Why This Matters
Successful exploitation gives the attacker the privileges of the SAP Java service account. From there, lateral movement is possible into portals, identity stores, and linked systems. Public reporting has tied attacks to web-shell deployments, persistence mechanisms, and in some cases Linux backdoors. With public tooling available, the barrier for entry is low.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31324 to its Known Exploited Vulnerabilities catalog. Independent researchers, Microsoft, and other security teams have confirmed that exploitation is active in the wild.
What Entities Should Do
- Apply patches. Install SAP Security Notes 3594142 and 3604119 across all Java instances and cluster nodes.
- Reduce exposure. Restrict or block access to /developmentserver/metadatauploader at Web Dispatcher, ICM, or WAF layers. Disable Visual Composer entirely if it is not required.
- Hunt retrospectively and forward. Review HTTP and ICM logs for suspicious uploads. Inspect IRJ servlet directories for unexpected JSP or class files. Monitor for SAPJVM-spawned shells and unusual outbound connections.
- Respond quickly if compromised. Isolate affected nodes. Preserve logs and forensic data. Rotate credentials. Rebuild to a known-good baseline before reconnecting to production networks.
Patch and Harden Without Delay
The takeaway is straightforward. Systems running SAP NetWeaver Java with Visual Composer exposed must be patched and hardened without delay. The exploit is public, the attack surface is clear, and active exploitation is confirmed.
Jonathan Stross, SAP Security Analyst at Pathlock, says with the source code now widely available, even script kiddies can leverage it. “The exploit is simple to execute – requiring only minutes to get running – and with AI tools like GPT, even unexperienced hackers could cause critical damage to organizations that remain unpatched.”
Recommendations
Apply Patches: Apply SAP Security Note 3594142 (CVE‑2025‑31324) and SAP Security Note 3604119 (CVE‑2025‑42999). Validate fixes on all Java instances and cluster nodes.
Reduce Exposure: Restrict or block `/developmentserver/metadatauploader` at SAP Web Dispatcher/ICM/WAF; do not expose developer/administrative endpoints to the internet. If Visual Composer is not required, disable it.
Assume‑Breach Hunting (Retrospective + Forward):
- HTTP/ICM logs: Hunt for `POST /developmentserver/metadatauploader` with `application/octet-stream` or multipart bodies.
- IRJ servlet paths: Triage `…/irj/servlet_jsp/irj/root/` for unexpected `.jsp`/`.class` files and timestamp anomalies.
- Process/host telemetry: SAPJVM‑spawned shells or compression utilities; anomalous outbound connections.
- SIEM content: Add rules for suspicious uploads and new files under IRJ paths; ingest `defaultTrace`, Web Dispatcher, and ICM logs.
He says if compromise is suspected, isolate affected nodes, preserve evidence (ICM/Web Dispatcher logs, `defaultTrace`, process lists, file hashes), rotate service credentials/SSO, and rebuild to a known‑good baseline after patching before reconnecting.
A Critical Read
Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch says Pathlock’s report is a critical read for anyone in corporate cybersecurity. “It highlights how a vulnerability in SAP’s NetWeaver Java Visual Composer, originally patched in April, is now being widely exploited. A critical file-upload flaw allows unauthenticated attackers to execute code remotely, effectively taking control of a system. The most concerning detail is that the exploit code and toolkit have been made public, making it accessible to even low-skilled attackers.”
This isn’t just a hypothetical risk, Sclafani adds. “The CISA has already added this vulnerability, CVE-2025-31324, to its Known Exploited Vulnerabilities (KEV) catalog. This confirms that real-world attacks are happening. Attackers can, and will, combine this flaw with other related vulnerabilities to gain deeper access, often dropping backdoors or web shells.”
Sclafani says this isn’t just about a singular server, a successful attack could potentially allow attackers to move laterally across an entire SAP network, impacting portals and connected systems vital to business operations. “Organizations need to patch immediately, block access to the vulnerable endpoint, and proactively hunt for any signs of compromise. The bottom line is, if you’re running this software and you haven’t patched, you’re at serious risk.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.