[Vulnerability Alert]　SAP Issues Critical Security Patch for NetWeaver Application Server (CVE-2025-31324)

publish date : 2025-05-08 update date : 2025-05-12

Source: Ministry of education information & communication security contingency platform


Publication Number	TACERT-ANA-2025050701051818	Publication Time	2025/05/07 13:04
Incident Type	ANA-Vulnerability Alert	Discovery Time	2025/05/07 13:04
Impact Level	Low
[Subject] 【Vulnerability Alert】SAP Issues Critical Security Patch for NetWeaver Application Server (CVE-2025-31324)
[Content] Forwarded from TWCERTCC-200-202505-00000001 SAP has released a critical security advisory for its NetWeaver Application Server (CVE-2025-31324, CVSS: 10.0). The vulnerability originates from an unauthorized file upload mechanism in the Visual Composer Metadata Uploader component. It allows unauthenticated remote attackers to upload arbitrary files and execute malicious programs on the server. Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform] SAP NetWeaver VCFRAMEWORK version 7.50
[Recommended Actions] Please visit the official website to apply the patch: https://supportsap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
[Reference] https://www.twcert.org.tw/tw/cp-169-10093-9eb4f-1.html

(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw

Organizer: Computer Center

[Vulnerability Alert] SAP Issues Critical Security Patch for NetWeaver Application Server (CVE-2025-31324)

[Vulnerability Alert]　SAP Issues Critical Security Patch for NetWeaver Application Server (CVE-2025-31324)