Alleged exploitation of SAP NetWeaver zero-day by an initial access broker
April 25, 2025 
An unidentified vulnerability within SAP NetWeaver is believed to have been exploited, posing a risk to numerous web applications accessible online.
The security community has raised concerns over a vulnerability, referred to as CVE-2025-31324 (CVSS score of 10/10), in SAP NetWeaver that is suspected to have been exploited. A wide range of web applications available on the internet are potentially vulnerable.
The weakness in SAP NetWeaver Visual Composer Metadata Uploader arises from inadequate authorization validations. Consequently, unauthorized individuals, those lacking valid credentials, could leverage this vulnerability to upload harmful executable files into the system.
Upon successful upload, these files may be executed on the target system, potentially resulting in a complete compromise of the affected SAP environment. SAP addressed this issue by releasing the April 2025 Security Patch Day.
ReliaQuest researchers identified this vulnerability while investigating multiple incidents, some of which resulted in successful penetrations of fully updated systems.
“ReliaQuest conducted an analysis of exploitation activities aimed at SAP NetWeaver systems on April 22, 2025, discovering a critical vulnerability later identified by SAP as “CVE-2025-31324” with a severity score of 10.” mentioned in the published report by ReliaQuest. “Initially suspected to be a remote file inclusion problem, it was confirmed as an unrestricted file upload flaw, prompting SAP to issue a patch to address it, which we strongly recommend applying.”
The researchers emphasized that SAP systems are prime targets for attackers due to their prevalent usage by government agencies and corporations. ReliaQuest promptly reported this critical vulnerability to SAP, leading to the issuance of a patch. Ahead of public disclosure, ReliaQuest implemented detection tools and improved threat visibility to safeguard its clients.
Malicious actors exploited the Metadata Uploader to send malicious JSP webshells by crafting POST requests, subsequently executing them via GET requests to assume complete control over the targeted systems. All webshells were deposited in the same root directory, exhibiting similar functionalities, and borrowing code from a widely known GitHub project focused on remote code execution.
“The focal point of the vulnerability in these instances was the /developmentserver/metadatauploader endpoint, designed to manage metadata files for software development and configuration in SAP applications within the NetWeaver ecosystem. While intended to streamline file transfer and processing for tasks such as configuration data or serialized objects, attackers uncovered an exploitable flaw in this component.” detailed the report. “Using meticulously crafted POST requests, threat actors uploaded malevolent JSP webshell files and saved them within the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory. Subsequently, these files could be remotely executed via basic GET requests, enabling attackers to attain full control and transform this endpoint into an exploitation platform.”
Perpetrators exploited the servlet_jsp/irj/root/ pathway to implant JSP webshells, typically labeled as “helper.jsp” or “cache.jsp,” permitting remote command execution. Attackers utilized these webshells to execute system commands via GET requests, upload files, and establish persistence. One variant witnessed in an attack leveraged techniques such as Brute Ratel and Heaven’s Gate for enhanced obfuscation and control, indicating an advanced threat with the aim of completely compromising systems and exfiltrating data.
Following the initial access, a delayed follow-up suggests that the attacker may operate as an initial access intermediary, potentially selling access through VPNs, RDP, or vulnerabilities on underground forums.
“At one instance, we observed a significant lag between the initial access and subsequent actions taken by the attacker.” elaborated the report. “This delay led us to suspect that the actor might function as an initial access intermediary, procuring and vending access to other threat actors. Such intermediaries usually peddle entry to compromised entities leveraging avenues like VPNs, RDP, or exploiting vulnerabilities on illicit cyber forums.”
Experts highlighted similarities between the ongoing activities and past exploitation of CVE-2017-9844, although the presence of patched systems instills confidence in the belief that an undisclosed Remote File Inclusion (RFI) flaw within SAP NetWeaver is leveraged.
“Considering the available evidence, our evaluation is highly confident that this involves the exploitation of an unreported RFI vulnerability against public SAP NetWeaver servers.” concluded the report. “It remains uncertain if this is affecting specific versions of NetWeaver; nevertheless, observed tactics have predominantly occurred in environments with the latest patches applied.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SAP)
About Author
