Pierluigi Paganini
Incident Involving SAP NetWeaver Vulnerability
April 25, 2025
Threat Posed by SAP NetWeaver Zero-Day Vulnerability
Experts have raised an alarm regarding a zero-day flaw in SAP NetWeaver, identified as CVE-2025-31324 (CVSS rating of 10/10), which is purportedly being exploited. Numerous internet-facing applications might be in jeopardy due to this vulnerability.
The weakness in SAP NetWeaver Visual Composer Metadata Uploader arises from inadequate authorization verification. This loophole enables unauthorized attackers – individuals lacking valid credentials – to misuse it for uploading malevolent executable files into the system.
Upon successful upload, these files can be executed within the host system, potentially leading to a complete breach of the targeted SAP environment. SAP has addressed this issue through the release of the April 2025 Security Patch Day.
ReliaQuest researchers uncovered this vulnerability while probing several incidents, some of which resulted in the compromise of fully patched systems.
“On April 22, 2025, ReliaQuest disclosed an investigation into exploitation attempts aimed at SAP NetWeaver systems, uncovering a critical vulnerability later named by SAP as “CVE-2025-31324” with a high severity score,” noted the report published by ReliaQuest. “Initially presumed to be a remote file inclusion flaw, it was revealed as an unbounded file upload vulnerability. Subsequently, SAP issued a patch to fix it, which we strongly advise applying.”
The researchers highlighted that SAP systems are enticing targets for malefactors due to their prevalence among governments and businesses. ReliaQuest promptly reported this critical flaw to SAP, resulting in a patch being released. Preceding the public disclosure, ReliaQuest implemented detection mechanisms and bolstered threat detection capabilities to safeguard their clientele.
Assailants exploited the Metadata Uploader by submitting crafted POST requests to upload malicious JSP webshells, later executing them with GET requests to gain unrestricted control over the target systems. All webshells were planted in the same parent directory, possessed similar functionalities, and repurposed code from a well-known GitHub RCE project.
“The vulnerability observed in these incidents is situated in the /developmentserver/metadatauploader endpoint, a functionality devised to handle metadata files for application development and configuration in SAP applications within the NetWeaver framework. In principle, it should streamline the transition and processing of files like configuration data or serialized objects. Nonetheless, cybercriminals found an exploitable path,” continued the report. “Through meticulously crafted POST requests, the attackers uploaded malevolent JSP webshell files and saved them in the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory. Subsequently, these files could be remotely executed via simple GET requests, granting malefactors complete control and effectively turning this endpoint into an exploitation springboard.”
Perpetrators capitalized on the servlet_jsp/irj/root/ pathway to implant JSP webshells, often christened as “helper.jsp” or “cache.jsp,” enabling remote command execution. The malefactors leveraged these webshells to instigate system commands through GET requests, transmit files, and sustain persistence. One iteration utilized in an attack involved Brute Ratel and Heaven’s Gate tactics to heighten stealth and control, signaling a sophisticated threat aimed at total system breach and data exfiltration.
The postponement between initial access and subsequent actions indicates that the attacker could potentially be an initial access dealer, likely vending access through VPNs, RDP, or vulnerabilities on darknet forums.
“In one case, we noticed a considerable delay before the attacker transitioned from initial access to undertaking further actions,” the report expounded. “This hiatus suggests that the attacker could be an initial access dealer procuring and selling access to other threat actors. These dealers typically peddle compromised organization access through mediums such as VPNs, RDP, or by exploiting vulnerabilities on cybercriminal forums.”
Analysts observed a resemblance between this operation and historical exploitation of CVE-2017-9844. However, owing to patched systems, it is probable that an undisclosed RFI glitch in SAP NetWeaver is being leveraged with high certainty.
“Based on the information we have, we hold a high degree of certainty that this involves exploiting an unidentified RFI vulnerability on public SAP NetWeaver servers,” concluded the report. “Currently, it remains unconfirmed whether this affects certain versions of NetWeaver; nonetheless, the observed server was fully up-to-date at the time these techniques were detected.”
Stay updated with my latest activities via Twitter: @securityaffairs, Facebook, and Mastodon
(SecurityAffairs – hacking, SAP)
About Author
