Executive Summary

The recent discovery of a zero-day vulnerability in SAP NetWeaver Visual Composer has raised alarm bells across the cybersecurity sector. The vulnerability, identified as CVE-2025-31324, is a critical unauthenticated file upload flaw that permits remote code execution, thereby compromising the entire system. This vulnerability has been actively exploited, primarily targeting manufacturing sectors, posing serious threats to data integrity and operational continuity.

Technical Information

The critical vulnerability CVE-2025-31324 affects the SAP NetWeaver Visual Composer, specifically the Metadata Uploader component. It allows attackers to upload malicious executable files without authentication, which leads to remote code execution (RCE) and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation.

The attack process involves initial exploitation where attackers upload JSP webshells without any authentication requirements. Subsequently, during the post-exploitation phase, attackers have been seen employing the Brute Ratel red team tool and the Heaven's Gate technique to bypass security checks. Furthermore, code injection into dllhost.exe using MSBuild for stealth operations has been observed, complicating detection efforts.

Reports from ReliaQuest and watchTowr confirm active exploitation, with multiple customers compromised despite having systems fully patched against known vulnerabilities, indicating the zero-day nature of this threat. The BleepingComputer article (https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/) offers an in-depth view of the incident, corroborated by findings from Rapid7 and Onapsis. Detailed observations show the deployment of webshells with random names to maintain access, primarily affecting manufacturing sectors.

Exploitation in the Wild

The exploitation in the wild has been marked by unauthorized uploads of JSP webshells that facilitate remote code execution through simple HTTP GET requests. Indicators of Compromise (IOCs) include anomalous file uploads to the '/developmentserver/metadatauploader' endpoint, unexpected execution of JSP scripts, and unusual network traffic patterns indicative of webshell activity.

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2025-31324 have not been explicitly named, the sophisticated techniques observed suggest involvement from advanced persistent threat actors. These actors leverage the vulnerability to gain unauthorized access and deploy their payloads stealthily.

Affected Product Versions

The affected product version is SAP NetWeaver Visual Composer 7.50. Organizations using this version should prioritize applying the necessary patches and mitigation strategies to safeguard their systems.

Workaround and Mitigation

To mitigate the risks associated with CVE-2025-31324, organizations should immediately apply the emergency security update released by SAP. Access to the '/developmentserver/metadatauploader' endpoint should be restricted. If Visual Composer is not in use, consider disabling it entirely to eliminate the attack vector. It is crucial to forward logs to a Security Information and Event Management (SIEM) system and conduct scans for unauthorized files in the servlet path. A comprehensive environment scan is recommended to identify and remove suspicious files before implementing these mitigations.

References

For a detailed understanding of the vulnerability and its impact, refer to the following resources: BleepingComputer Article on SAP NetWeaver Zero-Day (April 25, 2025), Rapid7 Blog on Active Exploitation, and Onapsis Security Report.

Rescana is here for you

At Rescana, we are committed to helping our clients navigate the complexities of cybersecurity threats. Our Third Party Risk Management (TPRM) platform is designed to provide comprehensive assessments and risk mitigation strategies, ensuring your organizational assets remain protected. For any questions regarding this report or other cybersecurity concerns, please reach out to us at ops@rescana.com. We are here to support you in safeguarding your digital infrastructure.