CyberSecurity news
FlagThis - #netweaver
|
@gbhackers.com
//
SAP has released its June 2025 Security Patch Day update, addressing a critical vulnerability in SAP NetWeaver Application Server for ABAP, identified as CVE-2025-42989. The flaw, which carries a CVSS score of 9.6, allows attackers to bypass authorization checks and escalate privileges. This could grant unauthorized access to critical system functions, allowing manipulation of application data or disruption of services. The vulnerability affects NetWeaver kernel versions 7.89, 7.93, 9.14, and 9.15, making patching an urgent priority.
SAP warns that successful exploitation of this vulnerability could critically impact the integrity and availability of affected systems. The flaw stems from a missing authorization check within the Remote Function Call (RFC) framework, which enables authenticated attackers to bypass standard authorization checks on the S_RFC object when leveraging transactional or queued RFCs under specific conditions. SAP advises immediate patching and notes that post-patch, additional S_RFC permissions may need to be assigned to certain users. Detailed guidance on identifying affected users and activating enhanced checks is provided in SAP Note #3601919. Beyond the critical NetWeaver vulnerability, SAP's June Patch Day addresses a total of 14 new vulnerabilities across multiple enterprise products. These include high-severity flaws in SAP GRC, SAP Business Warehouse, and SAP BusinessObjects BI. A serious information disclosure vulnerability in SAP GRC (CVE-2025-42982) could allow non-administrative users to initiate sensitive transactions and manipulate system credentials. A missing authorization check in SAP Business Warehouse and SAP Plug-In Basis (CVE-2025-42983) could allow authenticated users to delete arbitrary database tables, resulting in data loss. Additionally, a cross-site scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace (CVE-2025-23192) could allow attackers to execute code in the browser of unsuspecting users, risking data theft and interface manipulation. Recommended read:
References :
@onapsis.com
//
References:
onapsis.com
, op-c.net
The Qilin ransomware-as-a-service (RaaS) group, a Russian-linked threat actor, has been identified as exploiting the critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day exploit allows for unauthenticated remote code execution, posing a significant threat to enterprise systems globally. The vulnerability affects the `/developmentserver/metadatauploader` endpoint and does not properly enforce authentication or authorization, allowing attackers to upload arbitrary files, including web shells, to the server. SAP assigned the vulnerability a CVSS score of 10.0, highlighting the ease of exploitation and potential for full system compromise.
This pre-disclosure exploitation was uncovered during an incident response led by OP Innovate for a major global enterprise. The investigation revealed communication with known Cobalt Strike C2 infrastructure and IP addresses directly linked to Qilin. While recent reports have pointed to China-linked APT groups exploiting the vulnerability, the discovery of Qilin's involvement suggests a broader range of threat actors are actively targeting this flaw. The ease of exploiting CVE-2025-31324, requiring no authentication and exposing the attack surface via standard HTTP(S), makes it particularly dangerous for commonly deployed enterprise SAP environments. Security researchers are urging SAP administrators to patch immediately to prevent falling victim to CVE-2025-31324. The vulnerability, which allows unauthenticated file uploads and remote code execution (RCE), is being actively exploited in mass attacks. It hit the security world "like a tsunami," with potentially severe consequences for affected organizations. SOC Prime Platform has also released Sigma rules to help detect exploitation attempts linked to Chinese APT groups that target critical infrastructure. Recommended read:
References :
@securebulletin.com
//
China-linked APT groups are actively exploiting a critical vulnerability, CVE-2025-31324, in SAP NetWeaver to breach systems globally. This flaw, an unauthenticated file upload vulnerability, allows for remote code execution, granting unauthorized access to sensitive systems. EclecticIQ assesses with high confidence that these attacks, which commenced in April 2025, are being launched by Chinese nation-state APTs targeting critical infrastructure networks. The scope of the campaign is significant, with evidence indicating the compromise of over 580 SAP NetWeaver instances across various sectors.
Researchers at EclecticIQ uncovered evidence revealing the campaign's breadth. A publicly accessible directory on a threat actor-controlled server contained event logs confirming compromises across 581 SAP NetWeaver instances worldwide. These systems span critical sectors like natural gas distribution networks, water, waste management utilities, medical device manufacturing plants, and government ministries. Additionally, a list of 800 domains running SAP NetWeaver was found, indicating a large pool of potential future targets. The exploitation of CVE-2025-31324 is being attributed to multiple distinct China-linked threat clusters, including CL-STA-0048, UNC5221, and UNC5174. These groups employ various tactics, techniques, and procedures (TTPs), including the use of reverse shells, Rust-based malware loaders like KrustyLoader, and remote access trojans like VShell. In addition to CVE-2025-31324, SAP addressed a second zero-day vulnerability, CVE-2025-42999, which has also been actively exploited in attacks targeting SAP NetWeaver servers and is being used in conjunction with CVE-2025-31324 by threat actors. Recommended read:
References :
Field Effect@Blog
//
Russian Ransomware-as-a-Service (RaaS) group Qilin exploited a critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day flaw, an unauthenticated file upload vulnerability, allowed attackers to gain remote code execution in affected enterprise environments across the globe. The vulnerability affects SAP NetWeaver Visual Composer, a component commonly deployed in large enterprise environments. The flaw lies in the `/developmentserver/metadatauploader` endpoint, which fails to properly enforce authentication and authorization, which allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server with ease.
SAP assigned CVE-2025-31324 a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise. The vulnerability's accessibility, requiring no authentication and being exposed via standard HTTP(S), made it especially dangerous. OP Innovate discovered the active exploitation of CVE-2025-31324 during an incident response engagement for a major global enterprise, finding evidence of exploitation nearly three weeks before the vulnerability was publicly disclosed. OP Innovate's investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed, and the second shortly after. While recent articles pointed to China-Linked APTs, OP Innovate identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin. Organizations using SAP NetWeaver are urged to apply the necessary patches and monitor for potential exploitation attempts to mitigate risks and prevent further breaches. Recommended read:
References :
Ddos@securityonline.info
//
A critical vulnerability, CVE-2025-31324, affecting SAP NetWeaver is under active exploitation by China-linked Advanced Persistent Threat (APT) groups. This zero-day flaw, boasting a maximum CVSS score of 10.0, is an unauthenticated file upload vulnerability that grants attackers the ability to execute remote code on compromised systems. The vulnerability allows attackers to upload malicious files and gain unauthorized access, posing a significant threat to organizations relying on SAP systems and has led to breaches of critical systems worldwide.
Multiple Chinese hacking groups, including UNC5221, UNC5174, and CL-STA-0048, are leveraging CVE-2025-31324 to maintain persistent remote access, conduct reconnaissance, and deploy malicious programs. Attackers are exploiting this vulnerability to deploy web shells, maintain persistent access, and execute arbitrary commands on compromised systems. EclecticIQ researchers uncovered an exposed directory on attacker-controlled infrastructure, revealing that 581 SAP NetWeaver instances have already been compromised and backdoored with web shells. The targets of these attacks include critical infrastructure sectors globally, ranging from natural gas distribution networks and water management utilities to medical device manufacturing plants and government ministries. Organizations are urged to immediately apply the emergency patches released by SAP to mitigate the risk of exploitation. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, further emphasizing the urgency for organizations to address this critical flaw to protect their systems and data from potential compromise. Recommended read:
References :
@unit42.paloaltonetworks.com
//
A critical zero-day vulnerability, identified as CVE-2025-31324, is actively being exploited in SAP NetWeaver Visual Composer. This vulnerability, which has been assigned a maximum severity CVSS score of 10.0, allows unauthenticated attackers to upload arbitrary files to affected SAP NetWeaver application servers. Successful exploitation of this flaw can lead to remote code execution (RCE) and full system compromise, significantly impacting the confidentiality, integrity, and availability of the targeted system. The vulnerability resides in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK) and is particularly dangerous because it does not require authentication to exploit.
Attackers are leveraging this flaw by sending specially crafted HTTP requests to the /developmentserver/metadatauploader endpoint. This missing authorization check in the Metadata Uploader enables them to deploy web shells, such as helper.jsp and cache.jsp, for persistent access and subsequent command execution. In observed incidents, attackers have also deployed reverse shell tools and reverse SSH SOCKS proxies using various network infrastructures. The exploitation of CVE-2025-31324 began as early as January 20, 2025, with documented attempts starting on February 10, 2025, indicating a well-coordinated and sustained attack strategy. Forescout Vedere Labs security researchers have attributed the ongoing attacks targeting SAP NetWeaver instances to a Chinese threat actor, aligning with a pattern of state-aligned groups leveraging the vulnerability to maintain access to systems managing intellectual property, supply chains, and financial data. This suggests a long-term interest in economic and industrial espionage. Organizations are urged to apply SAP's emergency patch and implement security measures to defend against these sophisticated threats. Palo Alto Networks customers receive protections from and mitigations for CVE-2025-31324 through threat prevention signatures and the ability to identify internet-exposed SAP NetWeaver applications. Recommended read:
References :
Rescana@Rescana
//
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.
Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts. The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise. Recommended read:
References :
@reliaquest.com
//
A critical zero-day vulnerability, CVE-2025-31324, has been discovered in SAP NetWeaver Visual Composer Metadata Uploader, posing a significant threat to organizations using the platform. The flaw stems from missing authorization checks on the `/developmentserver/metadatauploader` endpoint, allowing unauthenticated attackers to upload malicious files directly to the system. This unrestricted file upload vulnerability has a CVSS score of 10, indicating its critical severity and potential for widespread exploitation. Security researchers and threat hunters have already observed active exploitation in the wild, with threat actors using the vulnerability to drop web shell backdoors onto exposed systems.
Exploitation of CVE-2025-31324 enables attackers to gain unauthorized access and control over SAP systems. Threat actors are leveraging the vulnerability to upload web shells, facilitating remote code execution and further system compromise. These web shells allow attackers to execute commands, manage files, and perform other malicious actions directly from a web browser. According to SAP security platform Onapsis, the vulnerability can afford attackers the opportunity to take full control over SAP business data and processes, potentially leading to ransomware deployment and lateral movement within a network. SAP has released an out-of-band emergency patch to address CVE-2025-31324, and organizations are strongly encouraged to apply the patch as soon as possible to mitigate the risk. ReliaQuest researchers also reported investigating multiple customer incidents involving JSP webshells uploaded via this vulnerability. Given the widespread active exploitation and the potential for significant impact, organizations should prioritize patching vulnerable systems and assessing them for any signs of compromise. Experts estimate that a significant percentage of internet-facing SAP NetWeaver systems may be vulnerable, highlighting the urgency of addressing this critical flaw. Recommended read:
References :
|