CyberSecurity news
FlagThis
@unit42.paloaltonetworks.com
//
A critical zero-day vulnerability, identified as CVE-2025-31324, is actively being exploited in SAP NetWeaver Visual Composer. This vulnerability, which has been assigned a maximum severity CVSS score of 10.0, allows unauthenticated attackers to upload arbitrary files to affected SAP NetWeaver application servers. Successful exploitation of this flaw can lead to remote code execution (RCE) and full system compromise, significantly impacting the confidentiality, integrity, and availability of the targeted system. The vulnerability resides in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK) and is particularly dangerous because it does not require authentication to exploit.
Attackers are leveraging this flaw by sending specially crafted HTTP requests to the /developmentserver/metadatauploader endpoint. This missing authorization check in the Metadata Uploader enables them to deploy web shells, such as helper.jsp and cache.jsp, for persistent access and subsequent command execution. In observed incidents, attackers have also deployed reverse shell tools and reverse SSH SOCKS proxies using various network infrastructures. The exploitation of CVE-2025-31324 began as early as January 20, 2025, with documented attempts starting on February 10, 2025, indicating a well-coordinated and sustained attack strategy.
Forescout Vedere Labs security researchers have attributed the ongoing attacks targeting SAP NetWeaver instances to a Chinese threat actor, aligning with a pattern of state-aligned groups leveraging the vulnerability to maintain access to systems managing intellectual property, supply chains, and financial data. This suggests a long-term interest in economic and industrial espionage. Organizations are urged to apply SAP's emergency patch and implement security measures to defend against these sophisticated threats. Palo Alto Networks customers receive protections from and mitigations for CVE-2025-31324 through threat prevention signatures and the ability to identify internet-exposed SAP NetWeaver applications.
ImgSrc: unit42.paloalto
References :
Attackers are leveraging this flaw by sending specially crafted HTTP requests to the /developmentserver/metadatauploader endpoint. This missing authorization check in the Metadata Uploader enables them to deploy web shells, such as helper.jsp and cache.jsp, for persistent access and subsequent command execution. In observed incidents, attackers have also deployed reverse shell tools and reverse SSH SOCKS proxies using various network infrastructures. The exploitation of CVE-2025-31324 began as early as January 20, 2025, with documented attempts starting on February 10, 2025, indicating a well-coordinated and sustained attack strategy.
Forescout Vedere Labs security researchers have attributed the ongoing attacks targeting SAP NetWeaver instances to a Chinese threat actor, aligning with a pattern of state-aligned groups leveraging the vulnerability to maintain access to systems managing intellectual property, supply chains, and financial data. This suggests a long-term interest in economic and industrial espionage. Organizations are urged to apply SAP's emergency patch and implement security measures to defend against these sophisticated threats. Palo Alto Networks customers receive protections from and mitigations for CVE-2025-31324 through threat prevention signatures and the ability to identify internet-exposed SAP NetWeaver applications.
ImgSrc: unit42.paloalto
Share:
References :
- onapsis.com: Onapsis | Deloitte: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- securityaffairs.com: Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324
- www.cysecurity.news: Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild
- Onapsis: Learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
- onapsis.com: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
- MSSP feed for Latest: Second Wave of Attacks Targets SAP NetWeaver
- The Hacker News: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
- onapsis.com: Onapsis in collaboration with Mandiant invites you to a webinar to discuss the current state of the attack campaign for CVE-2025-31324 The post appeared first on .
- bsky.app: A Chinese threat actor that Forescout tracks as Chaya_004 is behind a recent SAP NetWeaver zero-day (CVE-2025-31324)
- Talkback Resources: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell [app] [exp] [net]
- BleepingComputer: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- bsky.app: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- Onapsis: Onapsis in collaboration with Mandiant invites you to a webinar to discuss the current state of the attack campaign for CVE-2025-31324
- Talkback Resources: A threat actor linked to China is exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) for remote code execution, targeting multiple industries globally, prompting the need for prompt patching and enhanced security measures.
- www.bleepingcomputer.com: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- www.scworld.com: SAP NetWeaver bug exploited since January, allows RCE
- Anonymous ???????? :af:: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- The DefendOps Diaries: Understanding the CVE-2025-31324 Vulnerability in SAP NetWeaver Servers
- www.cybersecuritydive.com: SAP NetWeaver exploitation enters second wave of threat activity
- Unit 42: Threat Brief: CVE-2025-31324
- fortiguard.fortinet.com: SAP Netweaver Zero-Day Attack
- securityonline.info: From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
Classification:
- HashTags: #SAP #ZeroDay #Netweaver
- Company: SAP
- Target: SAP Netweaver Servers
- Attacker: Chinese APT
- Product: Netweaver
- Feature: File Upload
- Malware: CVE-2025-31324
- Type: 0Day
- Severity: Disaster