Full Report
Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. "The exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue," ReliaQuest said in a report published this week. The cybersecurity
Analysis Summary
# Vulnerability: SAP NetWeaver Unauthenticated Remote Code Execution via Metadata Uploader
## CVE Details
- CVE ID: CVE-2025-31324 (Likely related to the reported issue)
- CVSS Score: 10.0 (High/Critical)
- CWE: CWE-287 (Improper Authentication/Authorization is implied)
## Affected Systems
- Products: SAP NetWeaver, specifically the Visual Composer Metadata Uploader component.
- Versions: Not explicitly specified, but systems running affected NetWeaver versions prior to patching are vulnerable. It is noted that exploitation occurred even on systems running the latest patches, suggesting a potential zero-day or regression.
- Configurations: NetWeaver environments utilizing the `/developmentserver/metadatauploader` endpoint.
## Vulnerability Description
The vulnerability resides in the SAP NetWeaver Visual Composer Metadata Uploader endpoint (`/developmentserver/metadatauploader`). This flaw lacks proper authorization checks, allowing an unauthenticated attacker to upload potentially malicious executable binaries (such as JSP web shells) into application paths (e.g., `servlet_jsp/irj/root/`). Successful exploitation leads to persistent remote access, remote code execution (RCE), and data exfiltration. The vulnerability is also speculated to be tied to an undisclosed Remote File Inclusion (RFI) issue or previous vulnerabilities like CVE-2017-9844.
## Exploitation
- Status: Under active exploitation in the wild is suspected, tied to threat actors uploading web shells.
- Complexity: Likely Low, as exploitation requires unauthenticated access to a specific endpoint.
- Attack Vector: Network
## Impact
- Confidentiality: High (Malicious code execution allows siphoning sensitive data).
- Integrity: High (Enables unauthorized file uploads and persistent control).
- Availability: High (Can lead to system compromise and denial of service capabilities).
## Remediation
### Patches
- SAP released an update addressing CVE-2025-31324 (CVSS 10.0) in the April 2025 security notes release. Users must apply the relevant SAP Security Note corresponding to the fix for CVE-2025-31324.
### Workarounds
- Strict network segmentation and limiting access to the NetWeaver interface, especially the `/developmentserver/metadatauploader` endpoint, until patching is complete.
- Reviewing configurations to ensure the Visual Composer Metadata Uploader component is disabled or restricted if not critical for business operations.
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of newly uploaded JSP files in web directories, particularly under paths like `servlet_jsp/irj/root/`.
- Use of known loading frameworks such as Brute Ratel C4 post-exploitation.
- Execution patterns indicative of the "Heaven's Gate" technique for endpoint bypass.
- **Detection Methods and Tools:**
- Monitor web server access logs for unusual POST requests targeting the `/developmentserver/metadatauploader` URI.
- File integrity monitoring (FIM) on application directories for unauthorized file creation, especially JSP files.
- Endpoint Detection and Response (EDR) systems should be configured to alert on process activity associated with Brute Ratel C4 or unusual parent/child processes resulting from web server activity.
## References
- ReliaQuest Threat Spotlight via ReliaQuest (defanged): hxxps://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- SAP Security Notes and News (April 2025): hxxps://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
- CVE Record for CVE-2025-31324 via cve.org (defanged): hxxps://www.cve.org/CVERecord?id=CVE-2025-31324