Vulnerability Unveiled for Severe SAP NetWeaver Issue: Now Exposed to Manipulation
In a critical alert for corporate cybersecurity professionals, the Pathlock research team has released a report on the ongoing exploitation of the CVE-2025-31324 vulnerability in SAP's NetWeaver AS Java Visual Composer. This exploit, which has been added to the Known Exploited Vulnerabilities (KEV) catalog by the US Cybersecurity & Infrastructure Security Agency (CISA), poses a significant threat to organizations running unpatched SAP software.
The public availability of the full source code makes the exploit easy to use, even for attackers with little technical expertise. According to Frankie Sclafani, director of cybersecurity enablement at Deepwatch, this vulnerability allows unauthenticated remote code execution via the platform's metadata uploader endpoint. This means that attackers can gain access to other services without authentication and perform higher-level attacks.
Sclafani emphasized that real-world attacks are happening, as CISA has confirmed. Chinese state-sponsored APT groups, notably the China-linked threat actor Earth Lamia, have been using the vulnerability to execute unauthenticated remote code execution attacks, compromising at least 581 SAP NetWeaver instances since April 2025.
Nivedita Murthy, senior staff consultant at Black Duck, mentioned that NetWeaver is the web application where these products are hosted. The report highlights the exploitation of this vulnerability in NetWeaver, originally patched in April.
To mitigate the risk, Pathlock advises organizations to immediately apply SAP Security Notes 3594142 and 3604119 across all Java instances. They also recommend blocking or restricting access to the vulnerable /developmentserver/metadatauploader endpoint. In case of compromise, Pathlock suggests isolating affected nodes, preserving evidence, rotating credentials, and rebuilding from a clean baseline.
In addition, Pathlock recommends hunting for signs of compromise using HTTP logs, servlet checks, and SIEM alerts. They also suggest keeping a close eye on the SAP Security Notes for future updates and patches.
Frankie Sclafani, director of cybersecurity enablement at Deepwatch, has stated that the report is important for anyone in corporate cybersecurity. He emphasized that organizations must prioritize patching and securing their SAP systems to protect against these types of attacks.
The vulnerability identified by Pathlock, CVE-2025-42999, involves insecure deserialization and has been chained with the uploader bug in attacks. However, this vulnerability does not appear to be as widely exploited as CVE-2025-31324 at this time.
In conclusion, the exploitation of the CVE-2025-31324 vulnerability in SAP's NetWeaver AS Java Visual Composer is a serious threat that requires immediate attention from organizations using SAP software. The high CVSS score of 10.0 by SAP's CNA and 9.8 by NVD underscores the urgency for patching and securing these systems.
