This detection rule identifies potential exploitation attempts targeting the SAP NetWeaver Visual Composer through the critical vulnerability CVE-2025-31324. This vulnerability allows remote attackers to exploit the /developmentserver/metadatauploader endpoint to upload arbitrary files, potentially leading to full system compromise. The rule specifically monitors for HTTP HEAD and POST requests that return a 200 OK status, which may indicate either reconnaissance activities or active exploitation attempts. Attackers leveraging this vulnerability can gain unauthorized privileged access and deploy malicious payloads, threatening the integrity and availability of SAP resources. Organizations are advised to immediately implement patches and scrutinize any suspicious activity related to this vulnerability.