Summary
- CVE ID: CVE-2025-31324
- Discovered by: iamnoooob, rootxharsh, parthmalhotra, pdresearch
- Severity: Critical
- CVSS v3.1 Score: 10.0
- CWE ID: CWE-434 (Unrestricted Upload of File with Dangerous Type)
- Status: Verified
- EPSS Score: 0.00043 (Percentile: 12.532%)
Description
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable to unauthenticated access, allowing remote attackers to upload and potentially execute arbitrary serialized Java objects. The service lacks adequate authorization controls, exposing it to deserialization attacks which can lead to full system compromise.
This vulnerability allows a threat actor to upload executable binaries and initiate remote code execution (RCE), severely compromising the confidentiality, integrity, and availability of affected systems.
Additionally, OP Innovate’s ASM scanner has integrated detection capabilities for this specific vulnerability, enabling proactive identification and mitigation of at-risk assets within an organization’s digital perimeter.
Technical Analysis
- Attack Vector: Remote, unauthenticated HTTP POST request
Affected Endpoint:
/developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1
- Exploit Method: Java deserialization of crafted base64 payload embedded in a multipart form
- Indicators of Exploitation:
- Multipart POST requests to the uploader endpoint
- Base64-encoded Java serialized objects
- Response body with error strings like “FAILED” and “Cause”
- External DNS lookups confirming out-of-band exploitation
- Multipart POST requests to the uploader endpoint
Proof of Concept
The vulnerability can be verified using a serialized Java object embedded in a .properties file uploaded to the vulnerable endpoint. OAST (Out-of-Band Application Security Testing) platforms such as Interactsh confirm exploitation via DNS interaction.
Mitigation
- Patch Available: Yes – Apply SAP Security Note 3594142
- SAP Patch Day Details: https://url.sap/sapsecuritypatchday
- Other Recommendations:
- Restrict access to SAP development components
- Implement strict validation on file uploads
- Monitor for anomalous traffic to the uploader endpoint
- Restrict access to SAP development components
Detection Guidance
- WASP: OP Innovate has developed and deployed a dedicated WASP scanner specifically designed to identify insecure deserialization vulnerabilities, including CVE-2025-31324. This scanner is currently operational and actively scanning for affected SAP NetWeaver components, providing targeted detection for externally and internally exposed systems.
- Network Monitoring: Flag unauthenticated multipart/form-data POST requests, especially to /developmentserver/metadatauploader.
- Payload Inspection: Detect base64-encoded Java serialized object patterns within upload requests.
- Threat Intelligence: Utilize OP Innovate ASM scanner, WASP, or equivalent reconnaissance tools to map and identify vulnerable assets across the organization’s external and internal environments.
Conclusion
CVE-2025-31324 represents a highly critical risk to SAP NetWeaver environments due to its unauthenticated remote code execution potential via unsafe Java deserialization. The availability of a working proof-of-concept and its exploitation in the wild underscore the urgent need for patching and hardening exposed systems. Organizations should immediately apply the recommended SAP patches and leverage tools like OP Innovate’s ASM scanner to identify and remediate vulnerable instances. Comprehensive monitoring, access control, and input validation measures are essential to prevent exploitation and limit potential impact.
