{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-31324","assignerOrgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","state":"PUBLISHED","assignerShortName":"sap","dateReserved":"2025-03-27T23:02:06.906Z","datePublished":"2025-04-24T16:50:27.706Z","dateUpdated":"2026-02-26T18:28:05.363Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"SAP NetWeaver (Visual Composer development server)","vendor":"SAP_SE","versions":[{"status":"affected","version":"VCFRAMEWORK 7.50"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.</p>"}],"value":"SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-434","description":"CWE-434: Unrestricted Upload of File with Dangerous Type","lang":"eng","type":"CWE"}]}],"providerMetadata":{"orgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","shortName":"sap","dateUpdated":"2025-04-24T16:50:27.706Z"},"references":[{"url":"https://me.sap.com/notes/3594142"},{"url":"https://url.sap/sapsecuritypatchday"}],"source":{"discovery":"UNKNOWN"},"title":"Missing Authorization check in SAP NetWeaver (Visual Composer development server)","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-31324","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-04-30T03:56:21.966706Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2025-04-29","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324"}}}],"references":[{"url":"https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/","tags":["technical-description"]},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324","tags":["government-resource"]}],"timeline":[{"time":"2025-04-29T00:00:00.000Z","lang":"en","value":"CVE-2025-31324 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T18:28:05.363Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-05-02T17:13:30.650Z"},"references":[{"url":"https://www.theregister.com/2025/04/25/sap_netweaver_patch/"},{"url":"https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/"},{"url":"https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"}],"title":"CVE Program Container","x_generator":{"engine":"ADPogram 0.0.1"}}]}}