Guidance for handling CVE-2025-31324 using Microsoft Security capabilities

Short Description

Recently, a CVSS 10 vulnerability, CVE-2025-31324, affecting the "Visual Composer" component of the SAP NetWeaver application server, has been published, putting organizations at risk. 

In this blog post, we will show you how to effectively manage this CVE if your organization is affected by it. 

Exploiting this vulnerability involves sending a malicious POST request to the "/developmentserver/metadatauploader" endpoint of the SAP NetWeaver application server, which allows allow arbitrary file upload and execution. 

Impact:  

This vulnerability allows attackers to deploy a webshell and execute arbitrary commands on the SAP server with the same permissions as the SAP service. This specific SAP product is typically used in large organizations, on Linux and Windows servers across on-prem and cloud environments - making the impact of this vulnerability significant. Microsoft have already observed active exploits of this vulnerability in the wild, highlighting the urgency of addressing this issue. 

Mapping CVE-2025-31324 in Your Organization

The first step in managing an incident is to map affected software within your organization’s assets.

Using the Vulnerability Page

Information on this CVE, including exposed devices and software in your organization, is available from the vulnerability page for CVE-2025-31324.

Using Advanced Hunting 

This query searches software vulnerable to the this CVE and summarizes them by device name, OS version and device ID:

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2025-31324"
| summarize by DeviceName, DeviceId, strcat(OSPlatform, " ", OSVersion), SoftwareName, SoftwareVersion

To map the presence of additional, potentially vulnerable SAP NetWeaver servers in your environment, you can use the following Advanced Hunting query: 

*Results may be incomplete due to reliance on activity data, which means inactive instances of the application - those installed but not currently running, might not be included in the report. 

DeviceProcessEvents 
| where (FileName == "disp+work.exe" and ProcessVersionInfoProductName == "SAP NetWeaver") or FileName == "disp+work" 
| distinct DeviceId, DeviceName, FileName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion 

Where available, the ProcessVersionInfoProductVersion field contains the version of the SAP NetWeaver software.

Optional: Utilizing software inventory to map devices is advisable even when a CVE hasn’t been officially published or when there’s a specific requirement to upgrade a particular package and version. This query searches for devices that have a vulnerable versions installed (you can use this link to open the query in your environment):

DeviceTvmSoftwareInventory 
| where SoftwareName == "netweaver_application_server_visual_composer"
| parse SoftwareVersion with Major:int "." Minor:int "." BuildDate:datetime "." rest:string
| extend IsVulnerable = Minor < 5020 or BuildDate < datetime(2025-04-18)
| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion, IsVulnerable

Using a dedicated scanner 

You can leverage Microsoft’s lightweight scanner to validate if your SAP NetWeaver application is vulnerable. This scanner probes the vulnerable endpoint without actively exploiting it. 

Recommendations for Mitigation and Best Practices  

Mitigating risks associated with vulnerabilities requires a combination of proactive measures and real-time defenses. Here are some recommendations:  

• Update NetWeaver to a Non-Vulnerable Version: All NetWeaver 7.x versions are vulnerable. For versions 7.50 and above, support packages SP027 - SP033 have been released and should be installed. Versions 7.40 and below do not receive new support packages and should implement alternative mitigations. 

• JIT (Just-In-Time) Access: Cloud customers using Defender for Servers P2 can utilize our "JIT" feature to protect their environment from unnecessary ports and risks. This feature helps secure your environment by limiting exposure to only the necessary ports. The Microsoft research team has identified common ports that are potential to be used by these components, so you can check or use JIT for these. It is important to mention that JIT can be used for any port, but these are the most common ones. Learn more about the JIT capability 

• Ports commonly used by the vulnerable application as observed by Microsoft: 80,  443,  50000, 50001,  1090,  5000,  8000, 8080, 44300, 44380 

Active Exploitations  

To better support our customers in the event of a breach, we are expanding our detection framework to identify and alert you about the exploitation of this vulnerability across all operating systems (for MDE customers). These detectors, as all Microsoft detections, are also connected to Automatic Attack Disruption, our autonomous protection vehicle. In cases where these alerts, alongside other signals, will allow for high confidence of an ongoing attack, automatic actions will be taken to contain the attack and prevent further progressions of the attack. 

Coverage and Detections   

Currently, our solutions support coverage of CVE-2025-31324 for Windows and Linux devices that are onboarded to MDE (in both MDE and MDC subscriptions). To further expand our support, Microsoft Defender Vulnerability management is currently deploying additional detection mechanisms. This blog will be updated with any changes and progress.

Conclusion

By following these guidelines and utilizing end-to-end integrated Microsoft Security products, organizations can better prepare for, prevent and respond to attacks, ensuring a more secure and resilient environment.  While the above process provides a comprehensive approach to protecting your organization, continual monitoring, updating, and adapting to new threats are essential for maintaining robust security.