Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 | Rapid7 Blog

SAP has disclosed a critical zero-day vulnerability (CVE-2025-31324) in NetWeaver Visual Composer’s Metadata Uploader component, which allows unauthenticated attackers to upload malicious files through a missing authorization check at the /developmentserver/metadatauploader endpoint. This flaw, rated with the highest CVSS score of 10, is being actively exploited in the wild-primarily targeting manufacturing companies-by adversaries who drop webshells into vulnerable directories, enabling full system compromise. All SAP NetWeaver 7.xx versions and service packs are affected, and SAP urges customers to urgently update to the latest version or disable Visual Composer if patching is not possible, restrict access to the vulnerable endpoint, and thoroughly investigate their environments for signs of compromise, as updating alone will not remediate existing breaches.