CVE CVE

CVE-2025-31324

CISA Known Exploited Vulnerability (KEV)

SAP NetWeaver Unrestricted File Upload Vulnerability

April 29, 2025

May 20, 2025

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Weakness Enumeration

CWE-ID CWE Name

CWE-434
Unrestricted Upload of File with Dangerous Type

Details

Source:
NVD
Published:
Updated:

Risk information

CVSS v3

Base score:
10
Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2

Not defined