10

CVE-2025-31324

Warnung

Medienbericht

EPSS 45.8%
Veröffentlicht 24.04.2025 16:50:27
Zuletzt bearbeitet 31.10.2025 21:56:14
Quelle cna@sap.com
CVE-Watchlists
Login
Unerledigt
Login

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 13

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

SAP ≫ Netweaver Version7.50

29.04.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

SAP NetWeaver Unrestricted File Upload Vulnerability

Schwachstelle

SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	45.8%	0.975

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cna@sap.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://www.heise.de/news/SAP-Kritische-Sicherheitsluecke-ausser-der-Reihe-gepatcht-10361908.html

Medienbericht

heise Security

https://www.heise.de/news/Attackierte-SAP-Luecke-Hunderte-verwundbare-Server-im-Netz-10365650.html

Medienbericht

heise Security

https://www.heise.de/news/SAP-Patchday-Kritische-Netweaver-Luecke-und-viele-mehr-gestopft-10381863.html

Medienbericht

heise Security

https://www.heise.de/news/SAP-Netweaver-Luecke-Ransomware-Gruppen-springen-auf-10384918.html

Medienbericht

heise Security

https://url.sap/sapsecuritypatchday

Vendor Advisory

https://me.sap.com/notes/3594142

Permissions Required

https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/

Press/Media Coverage

https://www.theregister.com/2025/04/25/sap_netweaver_patch/

Press/Media Coverage

https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-31324

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-31324

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-31324

EUVD