CVE-2025-31324, a zero day vulnerability in SAP NetWeaver, has been generating a good deal of chatter in recent days. Media outlets report that it is being targeted by multiple ransomware groups and Chinese Advanced Persistent Threat (APT) groups. 

The unauthenticated file upload vulnerability affects the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. 

SAP has released patches to address CVE-2025-31324. On April 25, Tenable Research Response Team published a blog post about the vulnerability and provided guidance on how to identify affected systems using Tenable plugins. The blog post can be found here: https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild

Media outlets reporting on CVE-2025-31324 include Bleeping Computer,  CyberScoop and Dark Reading. 

On May 13, as part of the SAP Security Patch Day, SAP released a patch for CVE-2025-42999, a deserialization vulnerability affecting SAP NetWeaver. Onapsis identified and reported this flaw to SAP and noted this was an additional vector for exploitation that the April patch did not address. To ensure full remediation from these vulnerabilities, it’s imperative that both the April and May patches are applied to SAP NetWeaver hosts.

If you have questions or concerns about this vulnerability, please submit a comment below or contact your Tenable sales representative.