DIVD and SecurityBridge Join Forces: Scanning the Internet for Vulnerable SAP Systems (CVE-2025-31324)
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
A Joint Mission to Protect SAP Systems Worldwide
In a time where cybersecurity threats are more sophisticated and widespread than ever, collaboration is key. SecurityBridge is proud to work with the Dutch Institute for Vulnerability Disclosure (DIVD) in a coordinated effort to identify and help mitigate vulnerable SAP systems exposed to CVE-2025-31324.
This initiative underscores a shared mission: to make the digital world a safer place by taking proactive steps to detect, inform, and empower system owners before attackers can exploit critical vulnerabilities.
Understanding CVE-2025-31324
CVE-2025-31324 is a critical remote code execution vulnerability affecting SAP NetWeaver’s Visual Composer Metadata Uploader component. Due to a missing authorization check, unauthenticated attackers can upload malicious files, leading to a complete system compromise. With a CVSS score of 10.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of SAP landscapes.
How DIVD Scans the Internet
DIVD operates a responsible disclosure model that prioritizes user safety and data privacy. Using custom scanning tools based on open frameworks like Nuclei, DIVD continuously probes the public IPv4 space for known vulnerabilities. Their scans for CVE-2025-31324 target specific SAP NetWeaver endpoints associated with the vulnerable Metadata Uploader interface.
Key features of DIVD’s scanning methodology:
- Non-intrusive – ensuring scans only confirm the presence of a vulnerability without executing any harmful payloads.
- Transparent – scan headers identify themselves using a standardized User-Agent: DIVD-YYYY-XXXXX format.
- Followed by Responsible Notification – all identified vulnerable system owners are notified via abuse contacts, CSIRT networks, or national CERT channels.
The Results: Three Scans, Measurable Progress
Scan results from DIVD for three key dates:
📆 June 2, 2025:
- Multiple vulnerable SAP NetWeaver systems were identified across various global IP ranges.
- Systems, including versions like NetWeaver 7.53 and 7.45, were still exposed.
📆 June 18, 2025:
- Several previously vulnerable systems were no longer responding as exploitable.
- This indicates system owners acted on DIVD’s responsible disclosures, patched, or removed the vulnerable interfaces.
📆 July 14, 2025:
- Another 6 previously vulnerable SAP systems are no longer reported as vulnerable.
Scan Data Overview:
Metric | 02.06.2025 | 18.06.2025 | 14.07.2025 |
Newly Vulnerable Systems | N/A | 5 | 0 |
Systems No Longer Vulnerable | N/A | 29 | 6 |
Systems Still Vulnerable | N/A | 104 | 103 |
Total Vulnerable Systems | 133 | 109 | 103 |
The drop in vulnerable systems between the two dates is a success indicator of the notification and remediation process.
Why These Results Matter
SAP systems are the digital backbone of many of the world’s most critical business processes. A successful exploit of CVE-2025-31324 could disrupt supply chains, impact financial operations, and compromise the integrity of sensitive data.
By supporting the mission of the DIVD, SecurityBridge reinforces its commitment to:
- Early warning and detection: Delivering actionable threat intelligence to customers and partners.
- Global security efforts: Collaborating with ethical hacking communities and public-private partnerships.
- Continuous vigilance: Making the internet a safer place, one vulnerable system at a time.
What SAP Administrators Should Do
We strongly encourage all SAP administrators to take immediate action to protect their systems from CVE-2025-31324:
- Patch immediately by applying the fixes provided in SAP Note 3594142 or use a workaround as outlined in SAP Note 3593336.
- Check the exposure of endpoints. Check the SAP endpoint https://[your-sap-server]/developmentserver/metadatauploader for the HTTP response code; this should not be returning a response code of ‘200’. This can be done e.g. via curl:
# curl –f http://<your SAP server ip-address>:<port>/developmentserver/metadatauploader
[Response code other than ‘200’ → SAP system is not vulnerable]
- Monitor systems for any signs of compromise or abnormal file uploads.
Moving Forward Together
This joint operation is a powerful example of what the cybersecurity community can achieve together. We extend our gratitude to DIVD for their tireless work in scanning the world’s digital infrastructure and for their ethical approach to vulnerability disclosure.
Together, we help make the world run more securely.
Stay updated by following SecurityBridge and DIVD for ongoing updates, collaborations and security advisories.
