Technical Details of SAP 0-Day Exploitation Script for RCE Revealed

Cybersecurity researchers have unveiled the inner workings of an exploit script targeting a critical zero-day vulnerability in SAP NetWeaver’s Visual Composer Metadata Uploader, now designated as CVE-2025–31324.

This flaw stems from a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, enabling unauthenticated file uploads that can lead to remote code execution (RCE) under the SAP service account privileges.

The script, originally published by vx-underground, automates the process by crafting HTTP POST requests to upload arbitrary files, such as malicious JSP web shells, thereby granting attackers persistent access to affected systems.

Vulnerability Exploitation

The exploit leverages the servlet’s failure to validate uploads, allowing files to be written directly to web-accessible directories like /irj/servlet_jsp/irj/root/.

In check mode, the script employs a Java deserialization payload for stealthy verification via out-of-band application security testing (OAST), where a serialized object triggers a callback to an attacker-controlled server without ...