Full Report
CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry. The post Threat Brief: CVE-2025-31324 appeared first on Unit 42.
Analysis Summary
# Vulnerability: SAP NetWeaver Visual Composer Remote Code Execution via Unauthenticated File Upload
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: 10.0 (Critical)
- CWE: Missing Authorization (Implied, due to unauthenticated file upload)
## Affected Systems
- Products: SAP NetWeaver Application Server Java (specifically the Visual Composer component - VCFRAMEWORK)
- Versions: 7.50
- Configurations: Systems where the Visual Composer Framework component is installed.
## Vulnerability Description
CVE-2025-31324 is a critical vulnerability stemming from a missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer Framework (VCFRAMEWORK). An unauthenticated user can send specially crafted HTTP requests to the exposed endpoint `/developmentserver/metadatauploader`. This flaw allows the attacker to upload arbitrary files directly to the application server's file system, typically within accessible web directories (e.g., under `/irj/servlet_jsp/irj/root/`). Successful file upload of a web shell (e.g., a JSP file) enables the attacker to execute arbitrary operating system commands with the privileges of the SAP application server process (e.g., `sidadm`), leading to complete system compromise.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (Requires only sending crafted HTTP requests; no authentication needed)
- Attack Vector: Network
## Impact
- Confidentiality: High (Full system compromise allows access to all data)
- Integrity: High (Ability to execute commands and modify system files)
- Availability: High (Ability to take the system offline or modify critical services)
## Remediation
### Patches
- Refer to official SAP documentation for guidance on applying security updates for CVE-2025-31324. (Specific patch version information was not provided in the summary text, but immediate patching is implied by the criticality.)
### Workarounds
- No explicit workarounds were provided, though the vulnerability relies on the accessibility of the `/developmentserver/metadatauploader` endpoint.
## Detection
- **Indicators of Compromise (IOCs):**
- Presence of files like `helper.jsp`, `cache.jsp`, `usage.jsp`, or other non-standard web shells in web application directories.
- Observed malicious file hashes (e.g., `598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0` for `ansgdhs.bat`, or hashes related to GOREVERSE or SSH SOCKS proxy tools).
- Network traffic targeting the `/developmentserver/metadatauploader` endpoint.
- Execution of custom tools like GOREVERSE reverse shell or Base64-encoded PowerShell scripts designed to establish reverse connections.
- **Detection Methods and Tools:**
- Next-Generation Firewall with Advanced Threat Prevention subscription using **Threat Prevention signature 96181**.
- Cortex XDR and XSIAM using **Anti-Webshell Protection** to detect web shell deployment and command execution.
- Advanced URL Filtering and Advanced DNS Security to block known C2 infrastructure.
- Cortex Xpanse/ASM to discover if these SAP NetWeaver applications are exposed publicly.
## References
- Vendor Advisories: SAP Disclosure (April 24, 2025)
- Relevant Links: Unit 42 Threat Brief (May 9, 2025)