SAP NetWeaver Vulnerability
On April 24, 2025, SAP disclosed a critical vulnerability, CVE-2025-31324, with a CVSS score of 10.0, affecting SAP NetWeaver's Visual Composer Framework, version 7.50.
This vulnerability allows unauthenticated users to upload arbitrary files to the SAP NetWeaver application server, leading to potential remote code execution (RCE) and complete system takeover. The exploit is accomplished by sending specially crafted HTTP requests to the /developmentserver/metadatauploader endpoint.
Affected Systems
All versions 7.1x+ and all SPSs with the Visual Composer component enabled.
| Indicator | Value |
|---|---|
| IPv4 address | 205.169.39[.]55 |
| IPv4 address | 206.188.197[.]52 |
| IPv4 address | 65.49.235[.]210 |
| IPv4 address | 108.171.195[.]163 |
| IPv4 address | 47.97.42[.]177 |
| IPv4 address | 45.76.93[.]60 |
| IPv4 address | 158.247.224[.]100 |
| IPv4 address | 31.192.107[.]157 |
| IPv4 address | 107.173.135[.]116 |
| IPv4 address | 192.3.153[.]18 |
| IPv4 address | 188.166.87[.]88 |
| IPv4 address | 223.184.254[.]150 |
| IPv4 address | 51.79.66[.]183 |
| IPv4 address | 85.106.113[.]168 |
| IPv4 address | 138.68.61[.]82 |
| IPv4 address | 101.99.91[.]107 |
| IPv4 address | 103.207.14[.]195 |
| IPv4 address | 13.232.191[.]219 |
| FQDN | ocr-freespace.oss-cn-beijing.aliyuncs[.]com |
| FQDN | overseas-recognized-athens-oakland.trycloudflare[.]com |
| FQDN | d-69b.pages[.]dev |
| SHA256 hash | df492597eb412c94155a7f437f593aed89cfec2f1f149eb65174c6201be69049 |
| SHA256 hash | 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d |
| SHA256 hash | c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28 |
| SHA256 hash | 3f5fd4b23126cb21d1007b479954af619a16b0963a51f45cc32a8611e8e845b5 |
| SHA256 hash | 598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0 |
| SHA256 hash | 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef |
| SHA256 hash | 5919F2EAB8A826D7BA84E6C413626F5D11ED412D7DF0D3AB864F31D3A8DB3763 |
| SHA256 hash | 5a8ddc779dcf124fe5692d15be44346fb6d742322acb0eb3c6b4e90f581c5f9e |
| SHA256 hash | 427877aadd89f427e1815007998d9bb88309c548951a92a6e4064df001e327c2 |
| SHA256 hash | 69bb809b3fee09ed3ec9138f7566cc867bd6f1e8949b5e3daff21d451c533d75 |
| SHA256 hash | b9ef95ca541d3e05a6285411005f5fee15495251041f78e715234b09d019b92c |
| SHA256 hash | 1abf922a8228fd439a72cfddf1ed08ea09b59eaa4ae5eeba1d322d5f3e3c97e8 |
| SHA256 hash | 2e6f348f8296f4e062c397d2f3708ca6fdeab2c71edfd130b2ca4c935e53c0d3 |
| SHA256 hash | 6c6c984727dc53af110ed08ec8b15092facb924c8ad62e86ec76b52a00a41a40 |
| SHA256 hash | 4b17beee8c2d94cf8e40efc100651d70d046f5c14a027cf97d845dc839e423f9 |
| SHA256 hash | 7aab6ec707988ff3eec37f670b6bb0e0ddd02cc0093ead78eb714abded4d4a79 |
| SHA256 hash | b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee |
IoC’s
-
Recommended Solution(s)
- SAP released an urgent patch for this vulnerability on April 24, 2025 (SAP Security Note 3594142)
- On May 13, 2025, a supplemental security note (SAP Security Note 3604119) was released for CVE-2025-42999. This fixes the root cause of CVE-2025-31324.
- If you cannot apply the updates immediately, you can completely remove sap.com/devserver_metadataupload_ear by applying the "Option 0" option specified in SAP Note 3593336.
CVE / CWE
CVE-2024-49112
Related Website(s)
- https://nvd.nist.gov/vuln/detail/CVE-2024-49112
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112
* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.
Current Security Vulnerability Reports
İSTANBUL
+90 216 504 53 32
Aydınevler Mahallesi,İsmet İnönü Cadddesi,Küçükyalı Ofis Park A Blok,No:20/1 Maltepe İstanbul
ANKARA
+90 312 235 44 51
VULNERABILITY NEWSLETTER
You can register to our newsletter on the home page to be instantly informed about security vulnerabilities.
© 2021 Barikat Cyber Security All rights reserved.