SAP NetWeaver Visual Composer's critical flaw has led to verified security breaches
In a significant development for cybersecurity, a critical, actively exploited vulnerability has been discovered in SAP NetWeaver Visual Composer. Known as CVE-2025-31324, this unauthenticated-file-upload vulnerability poses a serious threat to businesses worldwide.
The vulnerability, which allows unauthenticated attackers to upload and execute arbitrary files on SAP servers, has been reported by Shadowserver to affect 454 IPs, with the United States, India, and Australia leading the list of affected countries.
This flaw in the Visual Composer Framework (VCFRAMEWORK) component of NetWeaver Application Server Java (version 7.50) can lead to full system compromise, remote code execution (RCE), data loss, and lateral movement within enterprise networks. The exploit is public, easy to leverage, and requires no authentication.
The vulnerability, with a CVSS v3.1 score as high as 9.8 or 10.0, can have severe consequences. Attackers can upload malicious files, such as web shells, to gain persistent access, disrupt business processes, and exfiltrate or manipulate sensitive data. The vulnerability is being actively exploited in the wild to deploy web shells and command-and-control (C2) frameworks.
Following the initial disclosure in April 2025, SAP has continued to see new attack vectors targeting the Visual Composer component, including additional vulnerabilities such as CVE-2025-42977 (a directory traversal flaw with CVSS 7.6).
To mitigate the risks posed by this vulnerability, SAP has recommended several actions. These include applying patches immediately, particularly for NetWeaver Application Server Java and the Visual Composer component; restricting access to the Visual Composer Framework (VCFRAMEWORK) if not in use; regularly monitoring SAP systems for unusual file uploads, unauthorized access, or deployments of web shells; reviewing and restricting user permissions; being prepared to respond to potential breaches; and staying informed with SAP’s monthly Security Patch Day updates.
Given the severity and ongoing nature of this threat, prompt action is essential to protect SAP environments from compromise. Businesses are advised to take immediate steps to secure their SAP installations and stay vigilant against potential attacks.
- The unauthenticated-file-upload vulnerability, identified as CVE-2025-31324, poses a significant threat to privacy and cybersecurity, particularly in the realm of data-and-cloud-computing and technology, as attackers can upload malicious files, cause data loss, and manipulate sensitive information.
- In light of the ongoing nature of this threat, cybersecurity measures such as applying patches promptly, restricting access to the Visual Composer Framework, and regularly monitoring SAP systems for unusual activities should be implemented to safeguard against potential vulnerabilities like CVE-2025-31324.
- The development of CVE-2025-31324 underscores the importance of robust cybersecurity practices, emphasizing the need for businesses to prioritize protection of their SAP environments from vulnerabilities and threats that could compromise their data and, ultimately, their privacy.
