DIVD-2025-00019 - Unauthenticated file upload in Visual Composer (VCFRAMEWORK)

Our reference DIVD-2025-00019
Case lead Joris van de Vis
Researcher(s)
CVE(s)
Product SAP
Versions SAP Visual Composer in SAP JAVA
Recommendation Patches are available now from the vendor. See SAP Security notes 3594142 and 3604119.
Patch status Fully patched
Workaround https://me.sap.com/notes/3593336/E
Status Open
Last modified 28 May 2025 13:22 CEST

Summary

On April 25, 2025, SAP released an out of band patch for a RCE vulnerability that was exploited in the wild by Chinese nation state linked parties. An immediate fix was shipped and broadly communicated to customers.

What you can do

What we are doing

Timeline

Date Description
25 Apr 2025-
25 Apr 2025		 SAP reported about the vulnerability and provided fix.
20 May 2025 Even though Vulnerability has lots of attention by vendor and researchers, DIVD starts research to try and add a layer of protection to customers who somehow missed all info.
27 May 2025 DIVD starts scanning the internet for open SAP instances.
28 May 2025 DIVD starts with identifying owners.
gantt title DIVD-2025-00019 - Unauthenticated file upload in Visual Composer (VCFRAMEWORK) dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00019 - Unauthenticated file upload in Visual Composer (VCFRAMEWORK) (still open) :2025-05-20, 2025-06-04 section Events SAP reported about the vulnerability and provided fix. (0 days) : 2025-04-25, 2025-04-25 Even though Vulnerability has lots of attention by vendor and researchers, DIVD starts research to try and add a layer of protection to customers who somehow missed all info. : milestone, 2025-05-20, 0d DIVD starts scanning the internet for open SAP instances. : milestone, 2025-05-27, 0d DIVD starts with identifying owners. : milestone, 2025-05-28, 0d

More information