Details of VAR-202504-3437

ID

VAR-202504-3437

CVE

CVE-2025-31324

TITLE

SAP of SAP NetWeaver Vulnerability in unlimited upload of dangerous types of files in

Trust: 0.8

sources: JVNDB: JVNDB-2025-004376

DESCRIPTION

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. SAP of SAP NetWeaver Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2025-31324 // JVNDB: JVNDB-2025-004376

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	7.50	Trust: 1.8
vendor:	sap	model:	netweaver	scope:	eq	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2025-004376 // NVD: CVE-2025-31324

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@sap.com:	CVE-2025-31324
value:	CRITICAL
Trust: 1.0
nvd@nist.gov:	CVE-2025-31324
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2025-31324
value:	CRITICAL
Trust: 0.8

cna@sap.com:	CVE-2025-31324
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-31324
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2025-31324
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-004376 // NVD: CVE-2025-31324 // NVD: CVE-2025-31324

PROBLEMTYPE DATA

problemtype:	CWE-434	Trust: 1.0
problemtype:	Unlimited uploads of dangerous types of files (CWE-434) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-004376 // NVD: CVE-2025-31324

EXTERNAL IDS

db:	NVD	id:	CVE-2025-31324	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-004376	Trust: 0.8

sources: JVNDB: JVNDB-2025-004376 // NVD: CVE-2025-31324

REFERENCES

url:	https://url.sap/sapsecuritypatchday	Trust: 1.8
url:	https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/	Trust: 1.8
url:	https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/	Trust: 1.8
url:	https://www.theregister.com/2025/04/25/sap_netweaver_patch/	Trust: 1.8
url:	https://me.sap.com/notes/3594142	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-31324	Trust: 0.8
url:	https://www.cisa.gov/known-exploited-vulnerabilities-catalog	Trust: 0.8

sources: JVNDB: JVNDB-2025-004376 // NVD: CVE-2025-31324

SOURCES

db:	JVNDB	id:	JVNDB-2025-004376
db:	NVD	id:	CVE-2025-31324

LAST UPDATE DATE

2025-05-09T03:20:13.472000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-004376	date:	2025-05-07T06:56:00
db:	NVD	id:	CVE-2025-31324	date:	2025-05-06T20:59:33.773

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-004376	date:	2025-05-07T00:00:00
db:	NVD	id:	CVE-2025-31324	date:	2025-04-24T17:15:35.913