← voltar
CVE-2025-31324

Missing Authorization check in SAP NetWeaver (Visual Composer development server)

CVSS 10 CRITICALEPSS 99.3%● KEVCWE-434
Em resumo

A ferramenta de upload do SAP NetWeaver Visual Composer não valida quem está enviando arquivos, permitindo que qualquer pessoa carregue binários maliciosos. Isso pode comprometer completamente a segurança, os dados e o funcionamento do servidor.

Detalhe técnico

O SAP NetWeaver Visual Composer Metadata Uploader apresenta falta de validação de autorização (CWE-434) em uploads de arquivo, permitindo que agentes não autenticados enviem binários executáveis. Um atacante pode executar código remoto e comprometer completamente a integridade, confidencialidade e disponibilidade do sistema.

Resumo gerado e traduzido por IA a partir da descrição oficial.
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Produtos afetados
SAP_SE · SAP NetWeaver (Visual Composer development server)
PoCs públicas encontradas20
githubgithub.com/redrays-io/CVE-2025-3132424githubgithub.com/antichainalysis/sap-netweaver-0day-CVE-2025-3132422githubgithub.com/Onapsis/Onapsis_CVE-2025-31324_Scanner_Tools12githubgithub.com/Onapsis/Onapsis-Mandiant-CVE-2025-31324-Vuln-Compromise-Assessment9githubgithub.com/NULLTRACE0X/CVE-2025-313248githubgithub.com/ODST-Forge/CVE-2025-31324_PoC6githubgithub.com/rf-peixoto/sap_netweaver_cve-2025-31324-5githubgithub.com/rxerium/CVE-2025-313244githubgithub.com/aristois913/CVE-2025-313243githubgithub.com/nullcult/CVE-2025-31324-File-Upload2githubgithub.com/nairuzabulhul/nuclei-template-cve-2025-31324-check1githubgithub.com/respondiq/jsp-webshell-scanner1githubgithub.com/moften/CVE-2025-31324-NUCLEI1githubgithub.com/abrewer251/CVE-2025-31324_PoC_SAP1githubgithub.com/JonathanStross/CVE-2025-313241githubgithub.com/moften/CVE-2025-313240githubgithub.com/BlueOWL-overlord/Burp_CVE-2025-313240githubgithub.com/Alizngnc/SAP-CVE-2025-313240githubgithub.com/sug4r-wr41th/CVE-2025-313240githubgithub.com/harshitvarma05/CVE-2025-31324-Exploits0
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://me.sap.com/notes/3594142https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/https://url.sap/sapsecuritypatchdayhttps://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324https://www.theregister.com/2025/04/25/sap_netweaver_patch/