Pierluigi Paganini
May 06, 2025
In April, ReliaQuest researchers warned that a zero-day vulnerability, tracked as CVE-2025-31324 (CVSS score of 10/10), in SAP NetWeaver is potentially being exploited. Thousands of internet-facing applications are potentially at risk.
The flaw in SAP NetWeaver Visual Composer Metadata Uploader stems from a lack of proper authorization checks. This means that unauthenticated attackers, those without valid credentials, can exploit it to upload malicious executable files to the system.
Once uploaded, these files can be executed on the host system, potentially leading to a full compromise of the targeted SAP environment. SAP addressed the flaw with the release of the April 2025 Security Patch Day.
Researchers from ReliaQuest discovered the vulnerability while investigating multiple attacks, some of which led to the compromise of fully patched systems.
The researchers pointed out that SAP systems are high-value targets for attackers due to their use by governments and enterprises. ReliaQuest reported the critical vulnerability to SAP, which led to a patch release. Before public disclosure, ReliaQuest deployed detection mechanisms and enhanced threat visibility to protect customers.
Attackers exploited the Metadata Uploader to upload malicious JSP webshells using crafted POST requests, then executed them with GET requests to gain full control of the target systems. All webshells were deployed in the same root directory, had similar capabilities, and reused code from a public GitHub RCE project.
Attackers exploited the servlet_jsp/irj/root/ path to plant JSP webshells, often named like “helper.jsp” or “cache.jsp,” enabling remote command execution. Attackers used the webshells to run system commands via GET requests, upload files, and maintain persistence. One variant used in one of the attacks relied on Brute Ratel and Heaven’s Gate to enhance stealth and control, signaling a sophisticated threat aimed at full system compromise and data theft.
The delayed follow-up after initial access suggests the attacker may be an initial access broker, likely selling access via VPN, RDP, or vulnerabilities on forums.
This week, Onapsis researchers observed a second wave of attacks tha same vulnerability.
“As of May 5, 2025, Onapsis Research Labs and other security firms are seeing evidence of follow-up, opportunistic attackers using previously established webshells from the prior attack campaign in order to stage new attacks.” reads the report published by Onapsis.
Onapsis, in collaboration with Mandiant, released an open-source scanner to detect exploitation attempts for CVE-2025-31324. It finds IoCs, scans for suspicious files, and collects them for analysis. On May 5, the company provided an updated YARA rule to improve the detection of webshell amid widespread exploitation
At the end of April, the US cybersecurity agency CISA added the vulnerability CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV), ordering federal agencies to patch it by May 20, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SAP NetWeaver)
