CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution 

Zero-day vulnerabilities are no longer rare anomalies—they’re now a core weapon in the modern attacker’s arsenal, with exploitation activity escalating year over year. According to Google’s Threat Intelligence Group (GTIG), in 2024 alone, 75 zero-day vulnerabilities were exploited in the wild—a stark indicator of the growing threat to business-critical systems. 

One of the latest critical vulnerabilities to emerge, CVE-2025-31324, is a maximum-severity unauthenticated file upload flaw affecting SAP NetWeaver, a core platform used widely by both governments and large enterprises.  With over 1,200 internet-facing SAP NetWeaver instances at risk, CVE-2025-31324 poses a significant threat, enabling full system compromise.

Detect CVE-2025-31324 Vulnerability Exploitation

In 2024, GTIG identified 33 zero-day vulnerabilities exploited in enterprise software and appliances—technologies primarily used in business environments. Notably, 44% of all zero-days last year targeted enterprise products, marking a clear escalation in attacker focus on business-critical infrastructure. To effectively mitigate potential risks, security teams must focus on early identification and rapid response strategies that stay ahead of emerging threats exploiting newly disclosed vulnerabilities.

Register for the SOC Prime Platform and access a set of curated Sigma rules addressing CVE-2025-31324 exploitation attempts along with a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just hit the Explore Detections button below to drill down to a relevant detection stack immediately.

Explore Detections

All the rules are compatible with multiple SIEM, EDR, and Data Lake technologies, and mapped to MITRE ATT&CK® to streamline threat investigation. Additionally, each rule is enriched with extensive metadata, including CTI references, attack timelines, audit configurations, triage recommendations, and more. 

Cyber defenders seeking more relevant content to detect cyber-attacks weaponizing trending vulnerabilities might access the whole сollection of the relevant detection algorithms by searching Threat Detection Marketplace with “CVE” tag.

Additionally, security professionals might streamline threat investigation using Uncoder AI – a private IDE & co-pilot for threat-informed detection engineering – now completely free and available without token limits on AI features. Generate detection algorithms from raw threat reports, enable fast IOC sweeps into performance-optimized queries, predict ATT&CK tags, optimize query code with AI tips, translate it across multiple SIEM, EDR, and Data Lake languages.

CVE-2025-31324 Analysis

Disclosed by SAP on April 24, 2025, and addressed in their April 2025 Security Patch Day, CVE-2025-31324 is an unauthenticated file upload vulnerability that carries a maximum CVSS v3 score of 10.0. The flaw stems from a missing authorization check in the Metadata Uploader component, allowing unauthenticated attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint. This leads to unauthorized file uploads that can result in remote code execution (RCE) and complete system compromise. 

Despite the patch in place, Rapid7’s Managed Detection and Response (MDR) team has confirmed active exploitation of the vulnerability dating back to March 27, 2025, particularly in the manufacturing sector. 

Threat actors have used the flaw to upload malicious JSP-based web shells to the directory:
j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/, enabling persistent remote access, code execution, and data exfiltration. These lightweight web shells are accessible via simple GET requests, effectively turning vulnerable SAP servers into attacker-controlled launchpads, as ReliaQuest research indicates.

Some incidents also involved the application of tools like the Brute Ratel C4 post-exploitation framework, and used evasion techniques such as Heaven’s Gate to bypass endpoint defenses—highlighting the professional nature of the threat actors involved.

Notably, the vulnerable Metadata Uploader component is part of the SAP NetWeaver Java stack, though it is not installed by default. However, Onapsis researchers noted that many organizations enable this feature to allow business process specialists to create enterprise applications without the need for traditional coding. Onapsis’ analysis revealed that attackers exploiting CVE-2025-31324 can install web shells that provide administrative-level access to the entire SAP environment, including unrestricted entry to the system’s database. With this level of access, attackers can deploy ransomware, disrupt SAP applications, exfiltrate data, or carry out a wide range of malicious actions. 

To minimize the risks of exploitation of similar zero-days and other known CVEs, SOC Prime Platform provides security teams with a complete product suite built on a unique fusion of technologies, backed by AI and automation, and powered by real-time threat intel to help global organizations across multiple industry verticals and diverse environments scale their SOC operations. Register now to outscale cyber threats and stay on top of any potential cyber attack against your business.