THE THREAT
On April 24th, SAP disclosed a maximum severity vulnerability impacting SAP NetWeaver systems. The vulnerability was initially reported to SAP by researchers from ReliaQuest, who confirmed that exploitation was ongoing prior to the release of security patches.
CVE-2025-31324 (CVSS: 10) is a missing authorization vulnerability found in SAP NetWeaver (Visual Composer development server), version 7.50. Unauthenticated threat actors may exploit the vulnerability to upload malicious executable binaries, leading to a compromise of the host system.
As exploitation of CVE-2025-31324 has been confirmed, it is critical that organizations apply the relevant security patches immediately.
What we’re doing about it
- eSentire has performed threat hunts across the client base to identify signs of compromise
- eSentire MDR for Network has rules in place to identify malicious webshells
- eSentire MDR for Network and Endpoint have detections in place to identify Brute Ratel activity
- The eSentire Tactical Threat Response team has developed new detections to identify webshells deployed via CVE-2025-31324
- Detection engineering for other security products is ongoing
- eSentire Managed Vulnerability Service (MVS) will add the relevant plugins to detect this vulnerability as they become available
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the relevant security patches provided by SAP
- Review any suspicious file uploads and confirm that no malicious webshells have been uploaded
- If patching is not immediately possible, consider taking the following actions:
- Disable the Visual Composer Metadata Uploader
- Disable the application alias “developmentserver”
- Restrict access to the development server application URL
Additional information
SAP NetWeaver provides organizations a platform to integrate data, business processes, elements, and more from a variety of sources into unified SAP environments. It is commonly used by government agencies and is known to be widely used across multiple companies in the United States.
On April 22nd, ReliaQuest published a detailed report on its investigations into incidents involving the compromise of the SAP NetWeaver platform across multiple customers. The activity was initially suspected to be a remote file inclusion issue but was later categorized as an unrestricted file upload vulnerability and identified as CVE-2025-31324 by SAP.
The investigations revealed the vulnerability resides in the “developmentserver/metadatauploader” endpoint. It is a feature responsible for application development and configuration within SAP applications in the NetWeaver environment. The attackers exploited the feature by uploading malicious Java Server Pages (JSP) webshells through POST requests to the developmentserver. The webshells were uploaded to the “j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/” directory and executed via GET requests. This enabled the attackers to gain full access to the compromised endpoint and carry out post-exploitation activities. The main purpose of the JSP webshells was allowing attackers to upload unauthorized files, gain additional control over compromised systems, execute remote code, and potentially exfiltrate sensitive data by storing it in publicly accessible directories.
The attackers deployed Brute Ratel, a Command-and-Control (C2) framework, typically used by penetration testers. Brute Ratel was retrieved from an external server and was leveraged to inject malicious code into the compromised system’s memory. The framework allowed attackers to maintain C2 access over compromised systems, customize payloads, and perform various post-exploitation activities. A memory manipulation technique, called Heaven’s Gate was implemented by the attackers to evade detection.
ReliaQuest noted a significant delay between the initial access and post-exploitation activities, leading to the conclusion that the attacker is likely an Initial Access Broker (IAB), who gained access for the purpose of selling it to other threat actors.
SAP solutions are mostly deployed on-premises, making users responsible for ensuring those are updated and patched in a timely manner. Government entities using SAP solutions are at significant risk, as attackers may target them to gain access to sensitive data. It is critical for the organizations using vulnerable instances of SAP NetWeaver to promptly apply relevant security patches.
Impacted Versions List:
-
SAP NetWeaver (Visual Composer development server), version 7.50
|
Indicators of Compromise (IOCs) Identified by ReliaQuest
|
|
1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
|
SHA256 Hash (Helper.jsp webshell)
|
|
794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
|
SHA256 Hash (Cache.jsp webshell)
|
References:
[1] https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
[2] https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-31324
[4] https://attack.mitre.org/software/S1063/
[5] https://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0
