* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Rapid Response to CVE-202...

# Rapid Response to CVE-2025-31324: Mitigating SAP NetWeaver Visual Composer Exploitation

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Frapid-response-to-cve-2025-31324-mitigating-sap-netweaver-visual-composer-exploitation%2F)  
[](https://twitter.com/share?text=Rapid+Response+to+CVE-2025-31324%3A+Mitigating+SAP+NetWeaver+Visual+Composer+Exploitation&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Frapid-response-to-cve-2025-31324-mitigating-sap-netweaver-visual-composer-exploitation%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Frapid-response-to-cve-2025-31324-mitigating-sap-netweaver-visual-composer-exploitation%2F&title=Rapid+Response+to+CVE-2025-31324%3A+Mitigating+SAP+NetWeaver+Visual+Composer+Exploitation&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/rapid-response-to-cve-2025-31324-mitigating-sap-netweaver-visual-composer-exploitation/&ts=markdown)  
\[\](mailto:?subject=Rapid Response to CVE-2025-31324: Mitigating SAP NetWeaver Visual Composer Exploitation)  
Link copied  
By [Sasha Sokolovich](https://www.paloaltonetworks.com/blog/author/sasha-sokolovich/?ts=markdown "Posts by Sasha Sokolovich")  
May 15, 2025  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown)  
[CVE-2025-31324](https://www.paloaltonetworks.com/blog/tag/cve-2025-31324/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[SAP NetWeaver Visual Composer](https://www.paloaltonetworks.com/blog/tag/sap-netweaver-visual-composer/?ts=markdown)  
[XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown)

### Introduction

SAP NetWeaver Visual Composer has recently come under fire due to a critical zero-day vulnerability - CVE-2025-31324. This flaw, actively exploited in the wild, allows unauthenticated attackers to upload malicious files via the /developmentserver/metadatauploader endpoint, potentially achieving full remote code execution (RCE) on exposed SAP systems. The **CVSS score of 10.0** underscores its severity, making rapid detection and remediation essential.

To help organizations mitigate this threat, the Cortex XSIAM Response and Remediation pack introduces a dedicated playbook: **CVE-2025-31324 -- SAP NetWeaver Visual Composer**. This playbook identifies vulnerable systems, hunts for potential webshells and indicators of compromise (IOCs), and executes and guides containment and remediation steps.

This playbook can be triggered by:

1. Adopting "CVE-2025-31324 -- SAP NetWeaver Visual Composer" trigger rule in your XSIAM product.
2. Running this playbook manually.

**Learn more in the full Unit42 threat brief** :[Unit42 Threat Brief -- SAP NetWeaver CVE-2025-31324](https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/)

### Threat Overview

CVE-2025-31324 is a remote code execution (RCE) vulnerability affecting the Metadata Uploader component in SAP NetWeaver Visual Composer. Due to missing authorization checks, unauthenticated attackers can upload malicious files (e.g., JSP web shells) to vulnerable systems. The flaw has received a CVSS score of 10.0, reflecting its severity.

* **Component Affected**: SAP NetWeaver Visual Composer Metadata Uploader
* **Endpoint** : /developmentserver/metadatauploader
* **CVE ID**: CVE-2025-31324
* **Exploitability**: Remote, unauthenticated

If exploited, attackers can execute arbitrary code with privileges of the SAP server process, compromising system integrity and confidentiality.

### Stages of the Playbook

1. **Asset Discovery (XQL)** Identify endpoints running SAP NetWeaver Visual Composer by querying for jstart.exe activity in paths containing visualcomposer.  
   In case XQL is unavailable, you can manually add the Cortex XDR Agent IDs of affected machines.

![Fig 1: Segment of playbook illustrating automated asset discovery](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339046-1-1.png)
Fig 1: Segment of playbook illustrating automated asset discovery

**2. IOCs Collection and Tagging**

* * Extracts Indicators of Compromise (IOCs) from the[Unit42 Threat Brief](https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/)
  * Tags indicators (File, Domain, IP, CVE)
  * Links indicators back to the triggering alert

![Fig 2: Segment of playbook illustrating IOC collection and tagging](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339046-2-1.png)
Fig 2: Segment of playbook illustrating IOC collection and tagging

**3. Threat Hunting** Uses the Threat Hunting - Generic playbook to search for IOCs across integrated platforms (Cortex, Splunk, QRadar, etc)

**4. WebShell Detection** Performs inspection of /servlet\_jsp/irj/ directories to detect suspicious files indicative of webshells.  
This step leverages two key Cortex XSIAM capabilities:

* **XQL Queries** to detect file operations in the target directory using suspicious extensions (e.g. .jsp,.jspx,.class)
* **Cortex XDR Agent Live Terminal actions** to remotely enumerate the directory and identify known or suspicious webshell files

![Fig 3: Segment of playbook illustrating webshell detection tasks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339046-3.png)
Fig 3: Segment of playbook illustrating webshell detection tasks

**5. Containment and Blocking** Invokes the Containment Plan - Block Indicators sub-playbook to block all identified malicious domains, IPs, and hashes

**6. Playbook Provides Mitigation Guidance** Provides detailed remediation steps, including:

* * Patching via SAP Note #3594142
  * Applying YARA rules for webshell detection
  * Implementing Sigma rules (from public PR)
  * Manual quarantine suggestions for suspicious files

**7. Investigation Resolution**  
Analysts are prompted to determine whether to escalate or close the case based on investigation findings and patch level. Additionally, the playbook shares information about open-source tools for compromise assessment, intended for cases where the Cortex Agent is not deployed on affected systems.

### Conclusion

With CVE-2025-31324 actively exploited in the wild, rapid response is critical. This playbook provides an automated and guided workflow to identify vulnerable systems, hunt for exploitation signs, and block threats before they escalate. It embodies the Autonomous SOC vision by minimizing analyst overhead and maximizing detection and response speed.

### **Learn More**

* 

### [Cortex Response and Remediation Pack](https://cortex.marketplace.pan.dev/marketplace/details/CortexResponseAndRemediation/)

* 

### [Unit42 Threat Brief on CVE-2025-31324](https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/)

* 

### [NIST CVE Details](https://nvd.nist.gov/vuln/detail/CVE-2025-31324)

#### *To learn more about how you can transform your SOC through automation, schedule [a personal demo for Cortex XSIAM.](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown)*

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://www.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### What's New in Cortex: The Latest Innovations for the World's #1 SecOps Platform (Feb '25 Release)](https://www.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-the-latest-innovations-for-the-worlds-1-secops-platform-feb-25-release/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Automating Response to Multi-Factor Authentication Threats](https://www.paloaltonetworks.com/blog/security-operations/automating-response-to-multi-factor-authentication-threats/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Automating Response to Unauthorized Email Forwarding Activity in Google Workspace](https://www.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-email-forwarding-activity-in-google-workspace/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Cortex Copilot - Another Step Forward in SOC Transformation](https://www.paloaltonetworks.com/blog/security-operations/cortex-copilot-another-step-forward-in-soc-transformation/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex: New Innovations for Security Operations](https://www.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language