CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution - - #CVE-2025-31324
A critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver's Visual Composer component has been actively exploited, allowing unauthenticated attackers to upload malicious files and execute remote code. With a CVSS score of 10.0, this flaw affects the Metadata Uploader endpoint, enabling attackers to deploy JSP webshells and gain full system control. Exploitation has been observed since March 2025, particularly targeting manufacturing organizations. SAP has issued an emergency patch and provided mitigation strategies, including restricting access to vulnerable endpoints and disabling unused components. Security experts urge immediate patching, compromise assessments, and monitoring for indicators of compromise, as approximately 450 vulnerable instances are exposed online, primarily in the US, India, Australia, China, and Europe.