CVSS 10.0 is supposed to be a number that appears rarely enough to mean something. The scoring rubric requires everything to go wrong simultaneously: the vulnerability must be network-reachable, require no authentication, require no user interaction, and produce maximum impact across confidentiality, integrity, and availability. The stars have to align.

CVE-2025-31324 is one of those times the stars aligned. SAP handed them a telescope.

What It Is

The vulnerability lives in SAP NetWeaver’s Visual Composer, specifically the Metadata Uploader component. The attack surface is an HTTP endpoint — /developmentserver/metadatauploader — that accepts file uploads. It performs no authentication check. The uploaded file lands in a path that is web-accessible by default. You POST a JSP webshell, you GET remote code execution.

That’s it. That’s the whole attack.

A three-line curl command is sufficient for initial access on a default SAP NetWeaver installation. No credentials. No phishing. No chained exploit. You find the endpoint, you upload, you execute. The time between first reconnaissance and working shell can be measured in minutes.

Why This Is Different

Enterprise software vulnerabilities usually have friction. A misconfigured authentication bypass still requires you to know the right parameter. A deserialization bug needs the right gadget chain. Memory corruption needs you to fight ASLR. The exploitation complexity score on most CVEs above 8.0 is “High” for a reason — getting from vulnerable to owned is still work.

This one has no friction. The attack is mechanically simple enough that script kiddies ran it within days of disclosure. The financially motivated actors running ransomware staging ran it. UNC5221 and related Chinese APT groups ran it. SAP issued their advisory in April 2025 with “We strongly recommend to apply the patch on the priority basis.” The exploitation wave continued into 2026.

“Apply the patch on priority basis” is doing a lot of work in that sentence.

What You’re Touching When You Own NetWeaver

SAP NetWeaver is not an application. It’s the integration layer — the middleware that connects SAP ERP, S/4HANA, Business Warehouse, and every custom connector a Fortune 500 company has bolted on over the past two decades. It’s the substrate everything else runs on.

SAP systems run under high-privilege service accounts. That’s not an accident or a misconfiguration — it’s necessary for the system to function. NetWeaver needs access to the database, to the filesystem, to the interfaces that connect to HR, finance, supply chain, and manufacturing. A shell on NetWeaver is therefore not just a shell on NetWeaver. It’s typically a shell with read/write access to everything the ERP touches.

For an attacker doing ransomware staging, that’s the crown jewels. For an espionage actor, it’s the organizational nerve center. The blast radius from a successful exploitation of CVE-2025-31324 in a large enterprise is not “an application was compromised.” It’s “the company’s entire operational data layer was accessible.”

The Design Question Nobody Wants to Answer

The Metadata Uploader is a development-era component. It exists to support development and testing workflows during system integration projects. It was never designed to be an authentication-gated endpoint because, in the environment it was designed for, it wasn’t supposed to be production-exposed.

That distinction — “not intended for production” versus “not present in production” — is the gap that CVE-2025-31324 lives in.

SAP NetWeaver’s default installation surface ships with dozens of development-era components. The rationale is straightforward: stripping them increases deployment complexity, creates compatibility risks on upgrade, and generates customer support tickets. It’s easier to ship them and tell customers to lock them down than to maintain a slimmer production build. The economics of enterprise software deployments favor shipping everything and documenting what to turn off.

The problem is that documentation gets skipped. Hardening guides get filed and ignored. The component that “shouldn’t be production-exposed” runs in production for years because nobody’s project it is to remove it, and nothing broke, and the system team has a hundred other things to do.

Then one April morning, that component becomes CVSS 10.0.

This isn’t unique to SAP. Enterprise middleware has been shipping attack surface under the label “development tools” for as long as enterprise middleware has existed. J2EE containers, application servers, integration platforms — they all have this pattern. The components are real; they serve real purposes during development; they make it to production because removing them is friction and leaving them is invisible.

Until it isn’t.

Exposure Mapping

If you’re running SAP NetWeaver, the immediate question is whether the endpoint is reachable. Internal-only deployment with no direct internet exposure is meaningfully better than internet-facing — but “internal” in 2025 enterprise environments often includes VPN users, contractor networks, cloud connectivity, and supply chain partners. The lateral movement story from an external foothold to internal NetWeaver isn’t long.

The patch closes the vulnerability. Apply it. That’s the answer SAP gave, and they’re right. But patching NetWeaver at scale in a large enterprise is not a one-afternoon project — there are dependency chains, maintenance windows, regression testing requirements, and change management processes that exist for legitimate reasons. Every day that patch is pending is a day that endpoint is live.

The harder question is audit: how many other development-era components in your SAP deployment are in the same situation? The Metadata Uploader is the one that got a CVE. The others are quiet until they’re not.

What CVSS 10.0 Actually Means

The score is supposed to be a signal that a vulnerability requires maximum urgency. The problem is that most organizations have normalized ignoring CVSS scores because the 9.8s and 9.9s are everywhere and the actual exploitability varies wildly. CVSS inflation has made the top of the scale feel like noise.

CVE-2025-31324 is a reminder that CVSS 10.0 can still mean what it says. No authentication. No complexity. No interaction. Maximum impact. Actively exploited. On the integration layer of the most business-critical software category in enterprise IT.

The rubric worked. The score is accurate. The question is whether the organizations running SAP NetWeaver treated it as accurately as the score described, or whether it got queued with everything else at the top of the chart.

The exploitation data suggests the answer varied.

PGP signature: sap-netweaver-cvss-10-upload-to-webroot.md.asc — Key fingerprint: 5FD2 1B4F E7E4 A3CA 7971 CB09 DE66 3978 8E09 1026