Full Report
Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers. [...]
Analysis Summary
# Vulnerability: Actively Exploited Flaw in SAP NetWeaver Allowing Remote Access
## CVE Details
- CVE ID: CVE-2025-31324 (Inferred based on context, as no specific CVE was explicitly listed with the title, but the context points towards a specific, named vulnerability being discussed and patched.)
- CVSS Score: Not explicitly provided in the text. (Likely High given active exploitation and impact on major enterprises).
- CWE: Not explicitly provided in the text.
## Affected Systems
- Products: SAP NetWeaver
- Versions: Unspecified, but systems exposed online are vulnerable.
- Configurations: Web-exposed SAP NetWeaver instances. Over 1,200 instances were reported exposed online.
## Vulnerability Description
A critical security flaw exists within SAP NetWeaver that is being actively exploited by threat actors. The exploit allows these actors to upload webshells onto vulnerable servers. The specific mechanism appears related to an endpoint, **/developmentserver/metadatauploader**, utilized by the **Visual Composer** component.
## Exploitation
- Status: **Actively exploited in the wild**. Onyphe reported 474 vulnerable servers already compromised with webshells (e.g., "cache.jsp", "helper.jsp", or randomly named files).
- Complexity: Implied to be relatively low, given the widespread nature of the exposure and compromise reports.
- Attack Vector: Network (Remote exploitation).
## Impact
- Confidentiality: High (Implied, as webshells provide attacker persistence and access).
- Integrity: High (Implied, attackers can alter system functions via webshells).
- Availability: Medium to High (Loss of control, or potential for denial of service).
## Remediation
### Patches
- Apply the **latest security update** provided by SAP, following the instructions in the vendor's security bulletin. (Specific patch versions not listed, refer to SAP bulletin).
### Workarounds
1. Restrict access to the `/developmentserver/metadatauploader` endpoint.
2. If Visual Composer is not in use, consider disabling it entirely.
3. Forward logs to a SIEM system and actively scan the servlet path for unauthorized files.
## Detection
- **Indicators of Compromise (IoCs):** Presence of webshell files in the servlet path, specifically files named like "cache.jsp," "helper.jsp," or other randomly named files dropped by threat actors.
- **Detection Methods and Tools:** Forwarding logs to a SIEM for anomalous activity review; using the scanner tool released by RedRays designed specifically for CVE-2025-31324.
## References
- Vendor Advisory: SAP Security Bulletin (Instructions referenced in the text).
- Shadowserver Foundation reporting: hxxps://x[.]com/Shadowserver/status/1916530172485845090
- Onyphe exposure data: hxxps://www[.]onyphe[.]io/
- RedRays Scanner: hxxps://github[.]com/redrays-io/CVE-2025-31324/blob/main/Scanner_CVE-2025-31324[.]py