CVE-2025-31324 - SAP NetWeaver Visual Composer

This pack is part of the Rapid Breach Response pack.

CVE-2025-31324 is a critical zero-day vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer. The flaw stems from missing authorization checks, letting unauthenticated attackers upload malicious binaries. Successful exploitation can lead to full remote-code execution (RCE), jeopardising confidentiality, integrity, and availability.

Unauthenticated attackers can upload arbitrary files (for example, JSP web shells) and gain code-execution with the privileges of the SAP application-server process.

References
Unit 42 threat brief
NIST NVD entry

Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer

Name	Description
Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer	This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer playbook and Rapid Breach Response incident type. CVE-2025-31324 is a critical zero-day vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. The vulnerability arises from missing authorization checks, allowing unauthenticated attackers to upload malicious executable binaries. Exploitation of this flaw can lead to full remote code execution (RCE) on affected systems, posing a significant risk to confidentiality, integrity, and availability. CVE-2025-31324 - SAP NetWeaver RCE Vulnerability Vulnerability Overview Component Affected: SAP NetWeaver Visual Composer Metadata Uploader Endpoint: `/developmentserver/metadatauploader` CVE ID: CVE-2025-31324 CVSS Score: 10.0 (Critical) Exploitability: Unauthenticated remote attackers can exploit this without user interaction This flaw allows unauthenticated attackers to upload arbitrary files (e.g., JSP web shells), enabling remote code execution with the same privileges as the SAP application server process. Source: Unit42 - Palo Alto Networks Mitigation and Recommendations Apply Patch: SAP Note #3594142 (released April 24, 2025) Disable Visual Composer if not in use Restrict Access to the vulnerable endpoint Monitor for IoCs in `/irj/servlet_jsp/irj/root/` and suspicious traffic Conclusion CVE-2025-31324 is actively exploited and is critically severe. Organizations should patch immediately, monitor for compromise, and disable or restrict vulnerable components. View official CVE details on NIST Playbook Triggers Manually "CVE Exploitation - 986328356" Agent rule Playbook Flow Collects IoCs from Unit42 blog. Downloads Sigma rules. Search for CVE Exploitation alerts. Directory enumeration to identify if there are already any suspicious files that might indicate a webshell. Using XQL, identify potential SAP NetWeaver instances in your environment. Using XQL, check if there are events that point to any potential webshells downloaded in the directories. Hunt the IoCs using Panorama and 3rd party SIEM. Remediate using "Block Indicators - Generic v3" playbook. Provides Mitigation recommendations. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer

This playbook should be triggered manually or can be configured as a job.
Please create a new incident and choose the Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer playbook and Rapid Breach Response incident type.

CVE-2025-31324 is a critical zero-day vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. The vulnerability arises from missing authorization checks, allowing unauthenticated attackers to upload malicious executable binaries. Exploitation of this flaw can lead to full remote code execution (RCE) on affected systems, posing a significant risk to confidentiality, integrity, and availability.

CVE-2025-31324 - SAP NetWeaver RCE Vulnerability

Vulnerability Overview

Component Affected: SAP NetWeaver Visual Composer Metadata Uploader
Endpoint: /developmentserver/metadatauploader
CVE ID: CVE-2025-31324
CVSS Score: 10.0 (Critical)
Exploitability: Unauthenticated remote attackers can exploit this without user interaction

This flaw allows unauthenticated attackers to upload arbitrary files (e.g., JSP web shells), enabling remote code execution with the same privileges as the SAP application server process.
Source: Unit42 - Palo Alto Networks

Mitigation and Recommendations

Apply Patch: SAP Note #3594142 (released April 24, 2025)
Disable Visual Composer if not in use
Restrict Access to the vulnerable endpoint
Monitor for IoCs in /irj/servlet_jsp/irj/root/ and suspicious traffic

Conclusion

CVE-2025-31324 is actively exploited and is critically severe. Organizations should patch immediately, monitor for compromise, and disable or restrict vulnerable components.

View official CVE details on NIST

Playbook Triggers

Manually
"CVE Exploitation - 986328356" Agent rule

Playbook Flow

Collects IoCs from Unit42 blog.
Downloads Sigma rules.
Search for CVE Exploitation alerts.
Directory enumeration to identify if there are already any suspicious files that might indicate a webshell.
Using XQL, identify potential SAP NetWeaver instances in your environment.
Using XQL, check if there are events that point to any potential webshells downloaded in the directories.
Hunt the IoCs using Panorama and 3rd party SIEM.
Remediate using "Block Indicators - Generic v3" playbook.
Provides Mitigation recommendations.

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Pack Name	Pack By
Common Types	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR

Pack Name	Pack By
Identity	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR

Certification	Certified	Read more
Supported By	Cortex
Created	July 1, 2025
Last Release	March 23, 2026

CVE-2025-31324 - SAP NetWeaver Visual Composer

CVE-2025-31324 - SAP NetWeaver RCE Vulnerability

Vulnerability Overview

Mitigation and Recommendations

Conclusion

Playbook Triggers

Playbook Flow

Playbooks

Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER