CVE-2025-31324

Critical KEV CVSS: 10.0

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Vendor

Sap

Product

Netweaver

CWE

CWE-434

Yayın Tarihi

2025-04-24 17:15:35

Güncelleme

2025-10-31 21:56:14

Source Identifier

cna@sap.com

KEV Date Added

2025-04-29

Kategoriler

CWE-434 Netweaver CRITICAL Sap 2025

Referanslar

https://me.sap.com/notes/3594142 https://url.sap/sapsecuritypatchday https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/ https://www.theregister.com/2025/04/25/sap_netweaver_patch/ https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324

Benzer Kayıtlar

Medium

CVE-2026-24314

Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which…

Medium

CVE-2026-24327

Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages),…

Medium

CVE-2026-24328

SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when cli…

Medium

CVE-2026-24325

SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripti…

Medium

CVE-2026-24326

Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker w…

Medium

CVE-2026-24321

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these op…