SAP NetWeaver Visual Composer is under active attack via a critical zero-day vulnerability (CVE-2025-31324), enabling unauthenticated remote code execution (RCE) through malicious file uploads.
With over 10,000 internet-facing SAP systems potentially exposed, attackers are exploiting this flaw to deploy webshells and advanced post-exploitation tools like Brute Ratel.
Here’s a technical breakdown of the threat and mitigation strategies.
Active Exploitation of SAP NetWeaver Visual Composer CVE-2025-31324
CVE-2025-31324 (CVSS 10.0) stems from a missing authorization check in SAP NetWeaver Visual Composer’s Metadata Uploader component.
The /developmentserver/metadatauploader endpoint allows unauthenticated attackers to upload arbitrary files, including JSP webshells, to directories like j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/.
These files can then be executed via simple HTTP GET requests, granting full system control.
Affected systems include SAP NetWeaver AS Java VCFRAMEWORK 7.50 and later versions. While Visual Composer isn’t enabled by default, it’s widely deployed in enterprise environments for low-code application development.
Attackers exploit the flaw using crafted POST requests, such as:
textPOST /developmentserver/metadatauploader HTTP/1.1
Host: [target]
Content-Type: multipart/form-data
[malicious JSP webshell payload]
Successful exploitation enables immediate RCE, often followed by lateral movement using tools like Brute Ratel.
Observed Attack Patterns and Indicators of Compromise
Since March 2025, attackers have targeted manufacturing firms, uploading randomly named webshells (e.g., cglswdjp.jsp, ijoatvey.jsp) to evade detection.
Key IoCs include:
- Files: Unauthorized JSP files in SAP Java server directories:
j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/
- Tools: Brute Ratel C2 frameworks and Heaven’s Gate technique for evading EDR via 32/64-bit context switching.
- Processes: MSBuild-compiled code injected into
dllhost.exe.
ReliaQuest observed attackers using webshells to execute commands like:
bashcmd /c move C:\temp\output.txt C:\ProgramData\
followed by compiling malicious payloads via:
bashC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
This enables stealthy persistence and network pivoting.
Mitigation and Response Strategies
- Patch Immediately: Apply SAP’s emergency fix (Security Note #3594142). Note that standard April 2025 patches don’t address this flaw.
- Disable Vulnerable Components:
- Remove the
developmentserveralias via SAP NetWeaver filters. - Block
/developmentserver/metadatauploaderat the firewall.
- Remove the
- Hunt for Compromise:
- Scan for unexpected JSP files in
j2ee/cluster/apps/subdirectories. - Monitor for anomalous processes like
dllhost.exeexecuting .NET payloads.
- Scan for unexpected JSP files in
- Logging: Forward SAP NetWeaver logs to a SIEM to detect unauthorized file uploads.
SAP advises checking http://host:port/nwa/sysinfo for the VCFRAMEWORK.SCA component to determine exposure.
Systems without this component are unaffected.
Summary: CVE-2025-31324 poses severe risks to SAP environments, with exploitation enabling full system takeover.
Organizations must prioritize patching, restrict access to vulnerable endpoints, and audit for webshells.
Rapid7 and ReliaQuest have published detection rules for InsightIDR and MDR customers to identify post-exploitation activity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=With over 10,000 internet-facing SAP systems potentially exposed, attackers are exploiting this flaw to deploy webshells.){kind=link}