Full Report
SAP has released out-of-band emergency updates for NetWeaver to fix an actively exploited remote code execution (RCE) vulnerability used to hijack servers. [...]
Analysis Summary
# Vulnerability: Critical Unauthenticated File Upload Leading to RCE in SAP NetWeaver
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: Not explicitly provided, but described as **critical** and leading to **full Remote Code Execution (RCE)**.
- CWE: Likely relates to Improper Restriction of Uploaded File Types or Path Traversal (based on context of file upload leading to RCE).
## Affected Systems
- Products: SAP NetWeaver (specifically impacting the Visual Composer Framework)
- Versions: **Visual Composer Framework 7.50** (The flaw exists even on systems previously patched with the regular April 2025 update.)
- Configurations: Any exposed SAP NetWeaver instance utilizing the vulnerable Visual Composer Framework version.
## Vulnerability Description
The vulnerability is an unauthenticated file upload flaw residing within the SAP NetWeaver Visual Composer Framework. Attackers can abuse built-in functionality associated with the `/developmentserver/metadatauploader` endpoint to upload arbitrary files to the SAP NetWeaver instance. Successful exploitation leads to unauthenticated **Remote Code Execution (RCE)** and total system compromise.
## Exploitation
- Status: **Exploited in the wild**
- Complexity: **Low** (Exploitation does not require authentication.)
- Attack Vector: **Network**
**Post-Exploitation Details:** Attackers observed deploying the 'Brute Ratel' red team tool, using the 'Heaven's Gate' security bypassing technique, and injecting MSBuild-compiled code into `dllhost.exe` for stealth. Threat actors are confirmed to be dropping web shell backdoors onto exposed systems.
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
This vulnerability was addressed via an **emergency security update** released *after* SAP's regular April 2025 update cycle.
- **Apply the latest emergency patch** that addresses CVE-2025-31324. (Specific patch version not detailed, must refer to the latest SAP security bulletin covering this emergency fix).
### Workarounds
If immediate patching is not possible:
1. **Restrict access** to the `/developmentserver/metadatauploader` endpoint.
2. If Visual Composer is not in use, **consider turning it off entirely**.
3. Forward system logs to a SIEM and **scan for unauthorized files** in the servlet path (especially post-exploitation cleanup). ReliaQuest recommends performing a deep environment scan to locate and delete suspect files *before* applying other mitigations.
## Detection
- Indicators of Compromise: Presence of web shell backdoors, unauthorized files in the servlet path, execution of 'Brute Ratel' components, or injected code within `dllhost.exe`.
- Detection Methods and Tools: Monitor network traffic targeting the `/developmentserver/metadatauploader` endpoint for unusual uploads. SIEM integration for analyzing logs and scanning the filesystem for suspicious binaries or scripts.
## References
- Vendor Advisories: SAP Security Note related to the April 2025 emergency update cycle (Must check SAP Support Portal for the absolute latest note detailing CVE-2025-31324).
- Relevant links - defanged:
- bleepingcomputer com/news/security/sap-fixes-critical-netweaver-flaw-exploited-in-attacks/
- sap support com/en/my-support/knowledge-base/security-notes-news/april-2025 html (For context on the regular update cycle)