Listen to this Post
In April 2025, a severe zero-day vulnerability in SAP NetWeaver, identified as CVE-2025-31324, was publicly disclosed by security researchers at ReliaQuest. The vulnerability, which carries a CVSS score of 10/10, poses a serious threat to thousands of internet-facing applications relying on SAP NetWeaver. With its potential to allow unauthenticated attackers to upload malicious files and execute arbitrary code, the flaw could lead to complete system compromises in targeted SAP environments.
Vulnerability Details
The flaw lies within the SAP NetWeaver Visual Composer Metadata Uploader, which lacks proper authorization checks. This oversight makes it possible for attackers—without any valid credentials—to upload and execute malicious files within a vulnerable SAP system. Once these files are executed, they can wreak havoc, compromising the entire SAP environment.
ReliaQuest’s discovery came after they observed several attacks exploiting this vulnerability. These attacks involved webshells being uploaded and executed on systems, even on those that had been fully patched. A key feature of these attacks is their use of crafted POST and GET requests to plant and trigger malicious JSP webshells in the SAP system’s root directory.
The severity of this vulnerability is amplified by the high value of SAP systems to governments and enterprises worldwide, making them lucrative targets for cybercriminals. In response to the discovery, SAP quickly issued a patch as part of its April 2025 Security Patch Day, but the exploit continues to pose a risk, especially given that some attacks have been successful against fully patched systems.
Attack Methodology and Impact
The exploited vulnerability in the Visual Composer Metadata Uploader enables attackers to upload JSP webshells, often with names such as “helper.jsp” or “cache.jsp,” to the root directory. These webshells then allow the attackers to execute remote commands, upload additional files, and maintain persistence within the compromised system.
One notable aspect of these attacks is their sophistication. Attackers have used advanced techniques, including tools like Brute Ratel and Heaven’s Gate, to enhance stealth and maintain control over the system. These tools suggest a well-organized threat actor aiming for full system compromise and data theft.
Moreover, the attacks show signs of being carried out by initial access brokers, individuals who gain access to systems and then sell that access to other threat actors. The delayed follow-up after the first wave of attacks also suggests that these access brokers may have sold VPN, RDP, or vulnerability access via underground forums.
Ongoing Exploitation and Response
As of May 2025, the vulnerability continues to be actively exploited. Onapsis, in collaboration with Mandiant, observed follow-up attacks leveraging the same vulnerability. Attackers have used the previously established webshells to stage new attacks, further demonstrating the vulnerability’s ongoing exploitation potential.
In response to the widespread attacks, Onapsis has released an open-source scanner designed to detect exploitation attempts. The tool identifies Indicators of Compromise (IoCs), scans for suspicious files, and collects them for further analysis. On May 5, 2025, an updated YARA rule was also released to enhance the detection of these webshells.
Recognizing the critical nature of this vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2025-31324 in its Known Exploited Vulnerabilities (KEV) catalog. CISA has issued an order for all federal agencies to apply the patch by May 20, 2025, underscoring the importance of swift remediation.
What Undercode Says:
The discovery of CVE-2025-31324 underscores the critical importance of securing enterprise applications against zero-day vulnerabilities. The fact that unauthenticated attackers can gain control over SAP systems by exploiting a simple lack of authorization checks demonstrates how seemingly small oversights can lead to catastrophic outcomes.
SAP NetWeaver, being a core component of enterprise IT infrastructure, holds vast amounts of sensitive data. Its compromise can have far-reaching consequences, from data theft to full system takeovers. Given the high value of SAP systems to both government and private sector entities, this vulnerability is an attractive target for attackers looking to steal intellectual property, sensitive financial data, or conduct cyber-espionage.
The attack methodology, particularly the use of JSP webshells, is a well-known tactic in cyberattacks, indicating that these threat actors are experienced and methodical. The involvement of tools like Brute Ratel and Heaven’s Gate suggests a level of sophistication that is often associated with advanced persistent threat (APT) groups. These groups typically have substantial resources at their disposal and often engage in attacks that are difficult to detect and mitigate.
The involvement of initial access brokers further complicates the threat landscape. These brokers act as intermediaries, selling access to compromised systems, and thus multiplying the attack surface for organizations. It highlights the interconnected nature of modern cyberattacks and the need for comprehensive security measures that go beyond patching known vulnerabilities.
Additionally, the follow-up attacks observed by Onapsis suggest that threat actors are continuously refining their methods and taking advantage of previously established footholds. It is a reminder of the persistence of cybercriminals and the importance of maintaining a proactive security posture, even after patches have been applied.
The response from SAP, along with the proactive steps taken by ReliaQuest and Onapsis, illustrates a collaborative approach to threat mitigation. Security researchers and vendors working together to create detection tools, such as the open-source scanner, play a crucial role in defending against ongoing threats. However, the speed at which attackers are adapting and exploiting this vulnerability indicates that further vigilance is required.
Organizations using SAP systems should prioritize patching CVE-2025-31324 as soon as possible. The fact that CISA has included this vulnerability in its KEV catalog is a clear signal of its severity and the risk it poses to government and private sector entities alike. Regular security assessments and incident response planning will also be essential in minimizing the impact of such vulnerabilities in the future.
Fact Checker Results
CVE-2025-31324 is a critical vulnerability with a CVSS score of 10/10.
SAP has released a patch as part of the April 2025 Security Patch Day.
Onapsis, Mandiant, and CISA are actively involved in detecting and mitigating attacks related to this vulnerability.
Prediction
As the exploitation of CVE-2025-31324 continues to evolve, attackers may refine their tactics, incorporating more advanced techniques to avoid detection. It’s likely that new variants of malicious webshells will emerge, and cybercriminals will leverage compromised SAP systems for even more sophisticated attacks. The continued collaboration between security researchers and vendors will be crucial in staying one step ahead of these threat actors, but the threat is expected to remain high throughout 2025 and beyond. Organizations should remain vigilant and ensure all relevant patches are applied without delay.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
