Ddos@securityonline.info
//
A critical vulnerability, CVE-2025-31324, affecting SAP NetWeaver is under active exploitation by China-linked Advanced Persistent Threat (APT) groups. This zero-day flaw, boasting a maximum CVSS score of 10.0, is an unauthenticated file upload vulnerability that grants attackers the ability to execute remote code on compromised systems. The vulnerability allows attackers to upload malicious files and gain unauthorized access, posing a significant threat to organizations relying on SAP systems and has led to breaches of critical systems worldwide.
Multiple Chinese hacking groups, including UNC5221, UNC5174, and CL-STA-0048, are leveraging CVE-2025-31324 to maintain persistent remote access, conduct reconnaissance, and deploy malicious programs. Attackers are exploiting this vulnerability to deploy web shells, maintain persistent access, and execute arbitrary commands on compromised systems. EclecticIQ researchers uncovered an exposed directory on attacker-controlled infrastructure, revealing that 581 SAP NetWeaver instances have already been compromised and backdoored with web shells.
The targets of these attacks include critical infrastructure sectors globally, ranging from natural gas distribution networks and water management utilities to medical device manufacturing plants and government ministries. Organizations are urged to immediately apply the emergency patches released by SAP to mitigate the risk of exploitation. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, further emphasizing the urgency for organizations to address this critical flaw to protect their systems and data from potential compromise.
Recommended read:
References :
- fortiguard.fortinet.com: FortiGuard Threat Signal Report on SAP Netweaver Zero-Day
- The DefendOps Diaries: TheDefendOpsDiaries on SAP NetWeaver Vulnerabilities
- The Hacker News: The Hacker News article on China-Linked APTs exploiting SAP CVE-2025-31324
- Blog: Second zero-day in SAP NetWeaver actively exploited
- Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- securebulletin.com: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
- EclecticIQ Blog: EclecticIQ analysts report that in April 2025, China-nexus APTs exploited SAP NetWeaver vulnerabilities to target critical infrastructures globally, leveraging CVE-2025-31324 for remote code execution and maintaining persistent access.
- The DefendOps Diaries: Understanding the Threat: CVE-2025-31324 and Its Impact on SAP NetWeaver
- Onapsis: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
- Secure Bulletin: SecureBulletin article on China-Linked APTs exploiting critical SAP NetWeaver vulnerability
@unit42.paloaltonetworks.com
//
A critical zero-day vulnerability, identified as CVE-2025-31324, is actively being exploited in SAP NetWeaver Visual Composer. This vulnerability, which has been assigned a maximum severity CVSS score of 10.0, allows unauthenticated attackers to upload arbitrary files to affected SAP NetWeaver application servers. Successful exploitation of this flaw can lead to remote code execution (RCE) and full system compromise, significantly impacting the confidentiality, integrity, and availability of the targeted system. The vulnerability resides in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK) and is particularly dangerous because it does not require authentication to exploit.
Attackers are leveraging this flaw by sending specially crafted HTTP requests to the /developmentserver/metadatauploader endpoint. This missing authorization check in the Metadata Uploader enables them to deploy web shells, such as helper.jsp and cache.jsp, for persistent access and subsequent command execution. In observed incidents, attackers have also deployed reverse shell tools and reverse SSH SOCKS proxies using various network infrastructures. The exploitation of CVE-2025-31324 began as early as January 20, 2025, with documented attempts starting on February 10, 2025, indicating a well-coordinated and sustained attack strategy.
Forescout Vedere Labs security researchers have attributed the ongoing attacks targeting SAP NetWeaver instances to a Chinese threat actor, aligning with a pattern of state-aligned groups leveraging the vulnerability to maintain access to systems managing intellectual property, supply chains, and financial data. This suggests a long-term interest in economic and industrial espionage. Organizations are urged to apply SAP's emergency patch and implement security measures to defend against these sophisticated threats. Palo Alto Networks customers receive protections from and mitigations for CVE-2025-31324 through threat prevention signatures and the ability to identify internet-exposed SAP NetWeaver applications.
Recommended read:
References :
- onapsis.com: Onapsis | Deloitte: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- securityaffairs.com: Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324
- www.cysecurity.news: Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild
- Onapsis: Learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
- onapsis.com: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
- MSSP feed for Latest: Second Wave of Attacks Targets SAP NetWeaver
- The Hacker News: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
- onapsis.com: Onapsis in collaboration with Mandiant invites you to a webinar to discuss the current state of the attack campaign for CVE-2025-31324 The post appeared first on .
- bsky.app: A Chinese threat actor that Forescout tracks as Chaya_004 is behind a recent SAP NetWeaver zero-day (CVE-2025-31324)
- Talkback Resources: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell [app] [exp] [net]
- BleepingComputer: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- bsky.app: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- Onapsis: Onapsis in collaboration with Mandiant invites you to a webinar to discuss the current state of the attack campaign for CVE-2025-31324
- Talkback Resources: A threat actor linked to China is exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) for remote code execution, targeting multiple industries globally, prompting the need for prompt patching and enhanced security measures.
- www.bleepingcomputer.com: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- www.scworld.com: SAP NetWeaver bug exploited since January, allows RCE
- Anonymous ???????? :af:: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- The DefendOps Diaries: Understanding the CVE-2025-31324 Vulnerability in SAP NetWeaver Servers
- www.cybersecuritydive.com: SAP NetWeaver exploitation enters second wave of threat activity
- Unit 42: Threat Brief: CVE-2025-31324
- fortiguard.fortinet.com: SAP Netweaver Zero-Day Attack
- securityonline.info: From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
Rescana@Rescana
//
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.
Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts.
The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise.
Recommended read:
References :
- SOC Prime Blog: Zero-day vulnerabilities are no longer rare anomalies—they’re now a core weapon in the modern attacker’s arsenal, with exploitation activity escalating year over year.
- Rescana: The recent discovery of a zero-day vulnerability in SAP NetWeaver Visual Composer has raised alarm bells across the...
- The Hacker News: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
- Anonymous ???????? :af:: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- The DefendOps Diaries: Understanding the CVE-2025-31324 Vulnerability in SAP NetWeaver Servers
@reliaquest.com
//
A critical zero-day vulnerability, CVE-2025-31324, has been discovered in SAP NetWeaver Visual Composer Metadata Uploader, posing a significant threat to organizations using the platform. The flaw stems from missing authorization checks on the `/developmentserver/metadatauploader` endpoint, allowing unauthenticated attackers to upload malicious files directly to the system. This unrestricted file upload vulnerability has a CVSS score of 10, indicating its critical severity and potential for widespread exploitation. Security researchers and threat hunters have already observed active exploitation in the wild, with threat actors using the vulnerability to drop web shell backdoors onto exposed systems.
Exploitation of CVE-2025-31324 enables attackers to gain unauthorized access and control over SAP systems. Threat actors are leveraging the vulnerability to upload web shells, facilitating remote code execution and further system compromise. These web shells allow attackers to execute commands, manage files, and perform other malicious actions directly from a web browser. According to SAP security platform Onapsis, the vulnerability can afford attackers the opportunity to take full control over SAP business data and processes, potentially leading to ransomware deployment and lateral movement within a network.
SAP has released an out-of-band emergency patch to address CVE-2025-31324, and organizations are strongly encouraged to apply the patch as soon as possible to mitigate the risk. ReliaQuest researchers also reported investigating multiple customer incidents involving JSP webshells uploaded via this vulnerability. Given the widespread active exploitation and the potential for significant impact, organizations should prioritize patching vulnerable systems and assessing them for any signs of compromise. Experts estimate that a significant percentage of internet-facing SAP NetWeaver systems may be vulnerable, highlighting the urgency of addressing this critical flaw.
Recommended read:
References :
- Threats | CyberScoop: CyberScoop article about SAP zero-day vulnerability under widespread active exploitation
- securityaffairs.com: SecurityAffairs article about SAP NetWeaver zero-day allegedly exploited by an initial access broker.
- The DefendOps Diaries: thedefendopsdiaries.com article on Addressing CVE-2025-31324: A Critical SAP NetWeaver Vulnerability
- Tenable Blog: Tenable Blog post on CVE-2025-31324 zero day vulnerability in SAP NetWeaver being exploited in the wild.
- BleepingComputer: SAP fixes suspected Netweaver zero-day exploited in attacks
- reliaquest.com: ReliaQuest uncovers vulnerability behind SAP NetWeaver compromise
- MSSP feed for Latest: SAP Patches Critical Zero-Day Vulnerability in NetWeaver Visual Composer
- Blog: Max severity zero-day in SAP NetWeaver actively exploited
- thehackernews.com: Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.
- cyberscoop.com: SAP zero-day vulnerability under widespread active exploitation
- www.cybersecuritydive.com: SAP NetWeaver zero-day vulnerability under widespread active exploitation.
- www.scworld.com: SAP patches zero day rated 10.0 in NetWeaver
- The Register - Security: Emergency patch for potential SAP zero-day that could grant full system control
- Resources-2: Picus Security explains SAP NetWeaver Remote Code Execution Vulnerability
- socradar.io: Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Allows Unauthorized Upload of Malicious Executables
- Strobes Security: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
- strobes.co: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
- The DefendOps Diaries: The DefendOps Diaries: Understanding and Mitigating the CVE-2025-31324 Vulnerability in SAP NetWeaver
- Vulnerable U: SAP CVE-2025-31324 Targeted by Attackers
- www.bleepingcomputer.com: Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
- www.bleepingcomputer.com: SAP fixes suspected Netweaver zero-day exploited in attacks
- BleepingComputer: Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers.
- Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- research.kudelskisecurity.com: Critical Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324)
- securityaffairs.com: U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog
- onapsis.com: In our SAP CVE-2025-31324 webinar learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
- research.kudelskisecurity.com: Research Kudelski Security Article on SAP NetWeaver Exploitation
- Cyber Security News: SAP NetWeaver 0-Day Vulnerability Actively Exploited to Deploy Webshells
- Caitlin Condon: Rapid7 MDR has observed in-the-wild exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 in customer environments.
- www.cybersecuritydive.com: Thousands are exposed and potentially vulnerable as researchers warn of widespread exploitation.
- www.it-daily.net: Security experts have identified a serious security vulnerability in SAP NetWeaver that allows unauthorized access to company systems.
- securityonline.info: CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
- redcanary.com: Critical vulnerability in SAP NetWeaver enables malicious file uploads
- www.stormshield.com: Security alert SAP CVE-2025-31324: Stormshield Products Response
- Rescana: Critical Zero-Day Vulnerability in SAP NetWeaver Visual Composer: CVE-2025-31324 Exploited in Manufacturing Attacks
- SOC Prime Blog: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
- Stormshield: Security alert SAP CVE-2025-31324: Stormshield Products Response
- socprime.com: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
|
|
FlagThis - #cve-2025-31324