CVE-2025-31324 is a critical zero-day vulnerability in the SAP NetWeaver Visual Composer component (CVSS 10.0) that enables unauthenticated remote code execution (RCE). The flaw, caused by missing authorization checks in the Metadata Uploader interface, allows attackers to upload arbitrary executable files—most commonly webshells—via specially crafted HTTP requests. First observed in active use in early 2025, the campaign evolved from reconnaissance to full compromise, with attackers achieving system-level access using the <sid>adm account.
After initial exploitation, attackers deployed webshells (e.g., helper.jsp, cache.jsp) that granted full remote access. Some systems were later abused by opportunistic attackers in a second wave, reusing webshells for actions like cryptominer deployment.