High

Analysis Summary

A critical security flaw, identified as CVE-2025-31324, has been discovered in SAP NetWeaver's Visual Composer MetadataUploader. This vulnerability allows attackers to upload and execute malicious files without logging in, giving them complete control over affected systems.

Attackers exploited this flaw by uploading harmful JSP webshells to specific directories on the server. These webshells enable remote execution of commands, file uploads, and data retrieval through a simple web interface. Even systems with the latest SAP updates were compromised, as attackers bypassed existing security measures by targeting the /developmentserver/metadatauploader endpoint.

Once inside, the attackers used advanced tools like Brute Ratel, a command-and-control framework, to inject malicious code into system processes. They also employed a technique called Heaven’s Gate, which manipulates memory to avoid detection by switching between 32-bit and 64-bit processes. In some cases, attackers waited several days after gaining access before taking further action, suggesting they might be selling this access to other malicious groups.

Impact

• Code Execution
• Security Bypass

Indicators of Compromise

MD5

• 630ad52d53b9c4f2b571d3b7c39d6eb7

• c74c4e67a8e5847a44598ba6be51a6f8

SHA-256

• 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087

• 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf

SHA1

• 925f6bc2a3fb5bb15a434f5f42196d49f36459e3

• 411db261a8d11db67aa1e0eeaaa4de5d4e6065c4

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Apply the official SAP security patch for CVE-2025-31324 as detailed in SAP Note 3594142.
• Restrict public access to the /developmentserver/metadatauploader endpoint via firewall rules or access control lists.
• Monitor server directories for unauthorized JSP files, especially in j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/.
• Implement intrusion detection systems to alert on suspicious activities, such as unexpected file uploads or command executions.
• Regularly audit SAP NetWeaver systems for signs of compromise, including the presence of webshells or unauthorized processes.
• Limit the use of administrative privileges and enforce the principle of least privilege across all SAP NetWeaver components.
• Disable or remove unused services and endpoints within SAP NetWeaver to reduce the attack surface.
• Educate system administrators and users about the risks associated with this vulnerability and the importance of applying patches promptly.
• Establish a routine patch management process to ensure timely application of security updates.
• Engage with SAP support or security professionals for guidance on securing SAP NetWeaver environments against known vulnerabilities.