Skip to main content

CVE-2025-31324 - SAP NetWeaver Visual Composer

This Playbook is part of the Cortex Response And Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 8.8.0 and later.

CVE-2025-31324 is a critical zero-day vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. The vulnerability arises from missing authorization checks, allowing unauthenticated attackers to upload malicious executable binaries. Exploitation of this flaw can lead to full remote code execution (RCE) on affected systems, posing a significant risk to confidentiality, integrity, and availability.

CVE-2025-31324 - SAP NetWeaver RCE Vulnerability#

Vulnerability Overview#

  • Component Affected: SAP NetWeaver Visual Composer Metadata Uploader
  • Endpoint: /developmentserver/metadatauploader
  • CVE ID: CVE-2025-31324
  • CVSS Score: 10.0 (Critical)
  • Exploitability: Unauthenticated remote attackers can exploit this without user interaction

This flaw allows unauthenticated attackers to upload arbitrary files (e.g., JSP web shells), enabling remote code execution with the same privileges as the SAP application server process.
Source: Unit42 - Palo Alto Networks

Mitigation and Recommendations#

  • Apply Patch: SAP Note #3594142 (released April 24, 2025)
  • Disable Visual Composer if not in use
  • Restrict Access to the vulnerable endpoint
  • Monitor for IoCs in /irj/servlet_jsp/irj/root/ and suspicious traffic

Conclusion#

CVE-2025-31324 is actively exploited and is critically severe. Organizations should patch immediately, monitor for compromise, and disable or restrict vulnerable components.

View official CVE details on NIST

Playbook Triggers#

  • Manually
  • "CVE Exploitation - 986328356" Agent rule

Playbook Flow#

  1. Using XQL, identify potential SAP NetWeaver instances in your environment.
  2. Using XQL, check if there are events that point to any potential webshells downloaded in the directories.
  3. Directory enumeration to identify if there are already any suspicious files that might indicate a webshell.
  4. Collect IOCs from a Unit42 blog, search them using the "Threat Hunting - Generic" playbook (supports Palo Alto networks products, Qradar, and Splunk), and block those indicators using the "Containment Plan - Block Indicators" playbook.
  5. Provides Mitigation recommendations.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Containment Plan - Block Indicators
  • Panorama Query Logs for Related Session
  • Threat Hunting - Generic

Integrations#

  • CortexCoreIR
  • CortexCoreXQLQueryEngine

Scripts#

  • IsIntegrationAvailable
  • ParseHTMLIndicators
  • SetAndHandleEmpty

Commands#

  • associateIndicatorsToAlert
  • closeInvestigation
  • core-get-dynamic-analysis
  • core-get-script-execution-results
  • core-run-script-execute-commands
  • createNewIndicator
  • extractIndicators
  • setAlert
  • xdr-xql-generic-query
  • xdr-xql-get-quota

Playbook Inputs#

NameDescriptionDefault ValueRequired
SplunkEarliestTimeThe earliest time for Splunk query.-7d@dOptional
SplunkLatestTimeThe latest time for the Splunk search query.nowOptional
QRadarTimeRangeThe time range for QRadar query.Last 7 DAYSOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

CVE-2025-31324 - SAP NetWeaver Visual Composer

Edit this page
Report an Issue
OSZAR »