Unveiled: Public Access to Severe SAP NetWeaver Vulnerability
In a recent report, Pathlock's research team has highlighted the widespread exploitation of the vulnerability CVE-2025-31324 in SAP's NetWeaver AS Java Visual Composer. This vulnerability, which was patched in April 2025, is a significant concern due to its potential for unauthenticated remote code execution via the platform's metadata uploader endpoint.
The exploitation of this vulnerability allows attackers to laterally access other services without authentication and perform higher-level attacks. The public availability of the full source code for the exploit makes it accessible to attackers with little technical expertise, increasing the risk of widespread exploitation.
In response, Pathlock recommends blocking or restricting access to the vulnerable endpoint and advises immediate action to reduce risk, including applying SAP Security Notes 3594142 and 3604119 across all Java instances.
The report from Pathlock is a critical read for anyone in corporate cybersecurity. In addition, the US Cybersecurity & Infrastructure Security Agency (CISA) has added both CVE-2025-31324 and CVE-2025-42999 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency of addressing these issues.
Nivedita Murthy, senior staff consultant at Black Duck, said, "The combination of insecure deserialization (CVE-2025-42999) and the uploader bug in attacks makes this vulnerability a top-priority threat." The vulnerability CVE-2025-42999 involves insecure deserialization and has been chained with the uploader bug in attacks.
Pathlock also suggests hunting for signs of compromise using HTTP logs, servlet checks, and SIEM alerts. In case of compromise, they recommend isolating affected nodes, preserving evidence, rotating credentials, and rebuilding from a clean baseline.
SAP has addressed both issues in Security Notes 3594142 and 3604119. The SAP security note 3594142 for CVE-2025-31324 was released in March 2025, and the security note 3604119 for CVE-2025-42999 was released in August 2025.
NetWeaver is the web application where these products are hosted. The CVSS score of 10.0 by SAP's CNA and 9.8 by NVD mark these vulnerabilities as top-priority threats. With the widespread exploitation of these vulnerabilities, it is crucial for organisations using SAP NetWeaver AS Java Visual Composer to take immediate action to secure their systems.
