SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
The Visual Composer Metadata Uploader component in SAP NetWeaver does not require authentication or verify permissions before accepting uploaded files. An attacker can transmit a potentially malicious executable file directly to the host server over the network (without the need to have an account or user interaction). The lack of authorization controls (CWE-434 — unrestricted upload of file with dangerous type) allows the uploaded file to be executed in the context of the server's operating system.
An attacker can gain complete control over the server — obtain full access to data (confidentiality), modify or destroy system resources (integrity), and cause its unavailability (availability). Successful exploitation of the vulnerability can lead to a serious breach of the organization's infrastructure.
Patches available from the vendor must be applied immediately in accordance with SAP Security Note 3594142 (https://me.sap.com/notes/3594142) and SAP Security Patch Day guidelines. Due to active exploitation in production environments, the update should be deployed as a priority; until the patch is installed, consider restricting network access to the Visual Composer component.
SAP NetWeaver with the Visual Composer Metadata Uploader component — specific versions indicated in the vendor references (SAP Security Note 3594142)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HSap Netweaver
APPSap7.50
CISA KEV — detailsi
- Vendori
- SAP
- Producti
- NetWeaver
- Added to KEVi
- April 29, 2025
- Remediation deadline (US Federal)i
- May 20, 2025(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
Related vulnerabilities
SAP NetWeaver Visual Composer — niebezpieczna deserializacja treści
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker aut...
Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an ...
SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an a...
SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() ...