CVE-2025-31324 - Missing Authorization check in SAP NetWeaver (Visual Composer development server) : Avantra

Email communication from April, the 28th, 2025

Subject: Important Security Alert: SAP Zero-Day Vulnerability CVE-2025-31324, SAP Security Note 3594142

Dear Avantra Customer,

We are writing to inform you about a critical SAP Zero-Day Vulnerability that has been recently discovered. This vulnerability, identified as CVE-2025-31324 and detailed in SAP Security Note 3594142, poses a significant risk to your SAP NetWeaver Java systems.

We understand that ensuring the security and integrity of your SAP landscape is of utmost importance. To help you quickly identify if any of your systems are affected by this vulnerability, we recommend utilizing Avantra's SAP HotNews evaluation function.

Avantra automatically collects information about SAP J2EE components in the background as part of its regular daily monitoring. The vulnerable component related to this Zero-Day is the SAP Visual Composer – technical component name VCFRAMEWORK — and all support packages below SP27 are affected.

Although SAP Visual Composer is not installed by default, it is widely enabled, as it served or still serves as a core tool for business process specialists to create business application components without the need for coding. So your NetWeaver Java systems may or may not have this component deployed.

You can see the components in the details screen:

By using the HotNews evaluation, Avantra checks this information for you without requiring any additional configuration or manual intervention.

To do this simply choose Support → SAP HotNews, then select “All notes”. You can also filter on the note number 3594142.

By using this feature, you will be able to immediately see which of your systems are impacted, allowing you to take swift and necessary action to mitigate the risk.

We strongly encourage you to perform this evaluation as soon as possible to protect your environment.

If you have any questions or require further assistance, please do not hesitate to contact our support team.

Sincerely,

The Avantra Team

BTW: Customers that use Avantra's built-in notification feature for new HotNews are typically notified of vulnerable systems before an official press release or the SAP HotNews email service.

CVE-2025-31324 - Missing Authorization check in SAP NetWeaver (Visual Composer development server) Print

Related Articles