CVE-2025-31324 SAP CVE debrief

Who should care

SAP NetWeaver administrators, application owners, vulnerability management teams, security operations, incident responders, and any organization that exposes SAP NetWeaver to untrusted users or external networks.

Technical summary

The supplied record identifies CVE-2025-31324 as an unrestricted file upload vulnerability in SAP NetWeaver. CISA’s KEV entry confirms it as a known-exploited issue and notes known ransomware campaign use. The corpus does not supply a CVSS score or additional exploitation detail, so remediation urgency should be driven by KEV status and actual product exposure.

Defensive priority

Immediate

Recommended defensive actions

• Apply the vendor mitigation guidance referenced by CISA as soon as possible.
• Prioritize remediation for SAP NetWeaver systems before the CISA KEV due date of 2025-05-20.
• Inventory all SAP NetWeaver deployments to determine which instances are exposed and need action.
• If mitigations are unavailable for a given deployment, follow CISA guidance to discontinue use of the product where feasible.
• Follow the CISA KEV entry and related vendor guidance for ongoing validation and tracking.

Evidence notes

The supplied corpus shows CVE-2025-31324 published and modified on 2025-04-29. CISA’s KEV metadata for this entry states vendorProject SAP, product NetWeaver, dateAdded 2025-04-29, dueDate 2025-05-20, knownRansomwareCampaignUse Known, and requiredAction to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. The source metadata also cites SAP Note 3594142 and the NVD detail page. No CVSS score was provided in the supplied corpus.

Official resources