Hi Community,
I received the following update from our Threat Research team:
A new vulnerability was recently discovered in SAP NetWeaver Visual Composer Metadata, dubbed CVE-2025-31324.
Vulnerability Description:
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
PoC can be found here
Cloud WAF customers are already protected against this vulnerability out-of-the-box
For On-Prem WAF customers:
To mitigate this vulnerability, a custom web service policy is required; therefore, we cannot push it using an emergency feed update. However, here is the manual mitigation guide:
Add a new Web-Service custom Policy:
Policy Name: CVE-2025-31324: SAP NetWeaver Visual Composer Metadata - Unauthenticated File Upload
Predicates:
1. HTTP Request Method Operation: At Least One
Value: POST
2. HTTP Request, Operation: Match All
a. Part: URL
Match Operation: "Includes"
Value: "/developmentserver/metadatauploader"
b. Part: Header
Name: “Content-Type”
Match Operation: “Includes”
Value: “multipart/form-data”
c. Part: parameter
Name: CONTENTTYPE
Match Operation: “Includes”
Value: “MODEL”
Followed Action: Block
Save and apply on the desired website.
If you have any questions, please comment below or raise a ticket with support, here.
#CloudWAF(formerlyIncapsula)
#On-PremisesWAF(formerlySecuresphere)