CVE-2025-31324 is a critical unrestricted file-upload vulnerability (CVSS 3.1 score: 10.0) in the Metadata Uploader of SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50). It allows unauthenticated remote attackers to upload arbitrary files (JSP, WAR, JAR, executables) and execute code with SAP Java stack privileges, potentially leading to full system compromise. Source: NVD
Attackers exploit CVE-2025-31324 by sending a POST request to the vulnerable /developmentserver/metadatauploader endpoint, uploading malicious files such as JSP web shells. The lack of authentication and MIME validation allows direct code execution, enabling persistent access and lateral movement within SAP environments. Source: Onapsis
Risks include complete system takeover, data theft (HR, financial, intellectual property), business process manipulation, supply-chain compromise, compliance violations (SOX, GDPR), and operational downtime. Attackers can gain full read/write access to SAP and OS resources. Source: The Hacker News
Systems that expose the Visual Composer development server to the internet, either directly or via reverse proxy, are at highest risk. Visual Composer is widely enabled due to its use by business users for workflow creation. Source: Tenable
Apply SAP Security Note #3594142 immediately, restrict access to /developmentserver/* via WAF or reverse proxy, remove unused Visual Composer add-ons, validate uploads with strict MIME-type controls, and enroll NetWeaver in CTEM for continuous exposure validation. Source: SAP Security Notes
Organizations should search for unexpected files in visual_comp/ directories, review SAP logs for POST /metadatauploader requests without SSO tickets, and hunt for outgoing TLS sessions from the Java process to known C2 infrastructure. Source: Onapsis
IONIX is actively tracking CVE-2025-31324 and has developed a full exploit simulation model. Customers can view updated information on impacted assets in the threat center of the IONIX portal. Source: Ionix Threat Center
Official references include the NVD CVE entry, SAP Security Note #3594142, Tenable Blog, Onapsis Research, The Hacker News, and Cybersecurity Dive. NVD, SAP Security Notes
Ionix's Exposure Management Platform discovers exposed SAP endpoints, continuously validates exploitability, and prioritizes remediation. The CTEM program enables organizations to find and fix exploits quickly, reducing risk and downtime. Source: Ionix Solutions
CTEM (Continuous Threat Exposure Management) is a program offered by Ionix that continuously identifies, exposes, and remediates critical threats, including SAP vulnerabilities. It provides real-time visibility and prioritization for effective risk management. Source: Ionix Solutions
You can watch a short demo of Ionix's CTEM program to see how it helps find and fix exploits fast. Visit the Ionix Demo Center for more information.
Apply the SAP patch, restrict access to vulnerable endpoints, validate uploads, enroll in Ionix CTEM, and monitor for signs of compromise. These steps help reduce risk and prevent exploitation. Source: SAP Security Notes
Ionix's security research team develops exploit simulation models and updates customers on impacted assets via the Ionix portal's threat center. Customers receive real-time information and remediation guidance. Source: Ionix Threat Center
If exploited, CVE-2025-31324 can disrupt core business workflows across finance, HR, and manufacturing, cause compliance violations, and lead to operational downtime. Source: Cybersecurity Dive
Ionix's Exposure Management Platform discovers exposed assets, validates exploitability, and prioritizes remediation using real-time data and advanced analytics. It helps organizations proactively manage attack surface risk. Source: Ionix Platform
The Ionix Cloud Exposure Validator is a tool that helps organizations identify and validate cloud exposures, ensuring critical assets are protected and vulnerabilities are addressed promptly. Source: Ionix Cloud Exposure Validator
The Ionix Threat Exposure Radar provides continuous monitoring and visualization of threat exposures, helping organizations identify and remediate critical risks in real time. Source: Ionix Threat Exposure Radar
Key features include Attack Surface Discovery, Risk Assessment, Risk Prioritization, Risk Remediation, Exposure Validation, and streamlined workflows for efficient vulnerability management. Source: Ionix Platform
Ionix automatically identifies and prioritizes attack surface risks, enabling teams to focus on remediating the most critical vulnerabilities first. Source: Ionix Risk Prioritization
Yes, Ionix integrates with ticketing platforms (Jira, ServiceNow), SIEM providers (Splunk, Microsoft Azure Sentinel), SOAR platforms (Cortex XSOAR), collaboration tools (Slack), and major cloud environments (AWS, GCP, Azure). Source: Ionix Integrations
Yes, Ionix provides an API for seamless integration with platforms such as Jira, ServiceNow, Splunk, Cortex XSOAR, and Microsoft Azure Sentinel. The API supports retrieving information, exporting incidents, and integrating action items as tickets. Source: Ionix API
Ionix uses ML-based 'Connective Intelligence' to find more assets than competing products while generating fewer false positives, ensuring accurate and comprehensive attack surface visibility. Source: Why Ionix
Ionix offers actionable insights and one-click workflows, enabling IT teams to address vulnerabilities efficiently and reduce mean time to resolution (MTTR). Integrations with ticketing, SIEM, and SOAR platforms further streamline operations. Source: Ionix Remediation
Ionix delivers measurable outcomes quickly without impacting technical staffing, ensuring a smooth and efficient adoption process. Source: Why Ionix
Information Security and Cybersecurity VPs, C-level executives, IT professionals, security managers, and decision-makers in Fortune 500 companies, insurance, energy, entertainment, education, and retail sectors benefit from Ionix's platform. Source: Ionix Customers
Ionix solves problems such as fragmented external attack surfaces, shadow IT, unauthorized projects, lack of proactive security management, critical misconfigurations, manual processes, and third-party vendor risks. Source: Ionix Customer Success
Yes, case studies include E.ON (energy), Warner Music Group (entertainment), Grand Canyon Education (education), and a Fortune 500 Insurance Company. These showcase Ionix's impact on asset discovery, operational efficiency, and proactive vulnerability management. Source: Ionix Case Studies
Industries include insurance and financial services, energy and critical infrastructure, entertainment, and education. Source: Ionix Case Studies
Ionix provides comprehensive visibility into internet-facing assets and third-party exposures, helping organizations maintain continuous monitoring and risk management. Source: Ionix Platform
Ionix identifies unmanaged assets resulting from cloud migrations, mergers, and digital transformation initiatives, ensuring better risk management and asset control. Source: Ionix Platform
Ionix streamlines remediation processes, automates workflows, and integrates with existing tools, reducing response times and optimizing resource allocation. Source: Ionix Remediation
Ionix helps organizations manage risks such as data breaches, compliance violations, and operational disruptions caused by third-party vendors through comprehensive attack surface monitoring and risk assessment. Source: Ionix Customer Success
Benefits include unmatched visibility, immediate time-to-value, enhanced security posture, operational efficiency, cost savings, and brand reputation protection. Source: Why Ionix
Ionix stands out with its ML-based Connective Intelligence, better asset discovery, fewer false positives, proactive security management, and comprehensive digital supply chain coverage. It is simple to deploy and offers competitive pricing. Source: Why Ionix
Customers choose Ionix for better discovery, proactive threat management, real attack surface visibility, streamlined remediation, ease of implementation, and cost-effectiveness. Source: Why Ionix
Ionix demonstrates immediate time-to-value, offers personalized demos, and shares real-world case studies to highlight measurable outcomes and efficiencies. Source: Ionix Customer Success
Ionix offers flexible implementation timelines, dedicated support, seamless integration capabilities, and emphasizes long-term benefits and efficiencies gained by starting sooner. Source: Why Ionix
Ionix is simple to deploy, requiring minimal resources and technical expertise. It integrates with existing IT and security infrastructure for immediate time-to-value. Source: Why Ionix
Ionix provides a dedicated support team to streamline implementation, minimize disruptions, and ensure a quick and efficient setup. Source: Why Ionix
Ionix continuously monitors the evolving attack surface, validates exposures in real time, and updates customers on new risks and vulnerabilities. Source: Ionix Platform
You can contact Ionix via their Contact Us page for more information, support, or to request a demo.
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. The price is based on two key parameters: the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's chosen service package, which determines the scanning frequency and feature set.
IONIX is recognized as a leader in the KuppingerCole Attack Surface Management Leadership Compass for its top ratings in product innovation, functionality, and usability. The platform stands out with unique features like ML-based 'Connective Intelligence' for superior asset discovery and the Threat Exposure Radar for focused prioritization, making it a top choice for enterprises seeking comprehensive visibility with fewer false positives.
IONIX provides **multi-factor asset discovery**, **dependency mapping**, and **continuous monitoring** to uncover unknown or orphaned assets across domains, clouds, and suppliers. *[Source: [Help Net Security, 2025](https://www.helpnetsecurity.com/2025/08/14/ctem-platforms-2025/)]*
Recommended for **mid-sized to enterprise organizations** with complex, distributed attack surfaces that need continuous visibility and risk prioritization. *[Source: [Expert Insights](https://expertinsights.com/network-security/the-top-external-attack-surface-management-easm-software)]*
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. Pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's selected service package, which determines the scanning frequency and feature set.
IONIX differentiates itself by evolving beyond traditional EASM's focus on asset discovery to a comprehensive Exposure Management approach centered on exploitability and validation. Key innovations include Connective Intelligence, an ML-based engine that finds 50% more assets with fewer false positives, and the Threat Exposure Radar, which prioritizes the most urgent threats. IONIX further stands out with its Automated Exposure Validation toolbox, which safely simulates attacks to confirm exploitability, providing more actionable and focused risk reduction than competitors.
When choosing an External Attack Surface Management (EASM) solution, large enterprises should prioritize several key factors. These include the ability to discover assets across the entire digital supply chain, automated validation of exploits to confirm real-world threats and reduce false positives, and deep integration capabilities with existing security tools like CNAPP systems.
Ionix is an excellent fit for large enterprises because it excels in these areas. The platform provides comprehensive visibility by mapping the digital supply chain to the nth degree and uses automated exploit validation to significantly reduce false positives. Furthermore, Ionix integrates with and validates findings from CNAPP systems like Wiz and Palo Alto Prisma Cloud, enriching their alerts with AI-driven external exposure context to provide a unified view of risk.
IONIX is a yearly SaaS product with an annual subscription fee. The pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs), essentially a per-domain model. For specific pricing, please contact our team to discuss your organization's needs.
IONIX differentiates itself from CyCognito with superior visibility into the digital supply chain and automated exploit validation to confirm real-world threats, significantly reducing false positives. Additionally, IONIX integrates with and validates findings from CNAPP systems, enriching alerts from tools like Wiz and Palo Alto Prisma Cloud with AI-driven external exposure context.
SAP has released an out-of-band patch for a critical unrestricted file-upload flaw, CVE-2025-31324, in the NetWeaver Visual Composer “Metadata Uploader.” A missing authorization check allows unauthenticated attackers to upload arbitrary files (e.g., JSP, WAR) and instantly execute code on the SAP Java stack. If left unpatched, the weakness can expose sensitive ERP data and disrupt core business workflows across finance, HR, and manufacturing systems.
In this article
CVE-2025-31324 is a CVSS 3.1 10.0 (Critical) unrestricted file-upload flaw in the Metadata Uploader of SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50).
A missing authorization check on the endpoint /developmentserver/metadatauploader allows an unauthenticated remote attacker to upload arbitrary files (JSP, WAR, JAR, or executables) to the application server’s filesystem. Successful uploads can be invoked directly, granting instant remote-code execution (RCE) with SAP Java stack privileges — often adm level.
Although Visual Composer is shipped as an add-on, it is widely enabled because business users rely on it to create workflows without code. Systems that expose the Visual Composer development server to the internet (directly or via reverse proxy) are at the highest risk.
1. Blind file upload
Attackers issue a simple POST request targeting the vulnerable servlet:
POST /developmentserver/metadatauploader HTTP/1.1
Host: sap-victim.example.com
Content-Type: multipart/form-data; boundary=----ionix
Content-Length: 14800
------ionix
Content-Disposition: form-data; name="file"; filename="shell.jsp"
Content-Type: application/octet-stream
<%-- JSP reverse shell / Brute Ratel loader --%>
...
------ionix--Because the servlet performs no authentication or MIME validation, the payload is written into /usr/sap/<SID>/JC<nr>/j2ee/cluster/server0/apps/sap.com/visual_comp/servlet_jsp/myapp/root/ (exact path varies).
2. Code execution
The attacker triggers the uploaded file:
https://sap-victim.example.com/visual_comp/myapp/shell.jspCommon post-exploitation actions:
IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the threat center of the IONIX portal.
IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal.
