CISA KEV 정보
| 취약점명 | SAP NetWeaver Unrestricted File Upload Vulnerability |
|---|---|
| 설명 | SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries. |
| 조치사항 | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| 랜섬웨어 캠페인 악용 | Known |
| CWE | CWE-434 |
| 등록일 (KEV) | 2025-04-29 |
| 조치 기한 | 2025-05-20 |
| 추가 참고 | https://me.sap.com/notes/3594142 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31324 |
NVD 상세 정보
CVSS v3.1: 10.0 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H설명: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
CWE: CWE-434
참조
- https://me.sap.com/notes/3594142 [Permissions Required]
- https://url.sap/sapsecuritypatchday [Vendor Advisory]
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ [Third Party Advisory]
- https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/ [Press/Media Coverage]
- https://www.theregister.com/2025/04/25/sap_netweaver_patch/ [Press/Media Coverage]
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ [Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.