CyberSecurity news
FlagThis - #sapsecurity
|
@onapsis.com
//
The Qilin ransomware-as-a-service (RaaS) group, a Russian-linked threat actor, has been identified as exploiting the critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day exploit allows for unauthenticated remote code execution, posing a significant threat to enterprise systems globally. The vulnerability affects the `/developmentserver/metadatauploader` endpoint and does not properly enforce authentication or authorization, allowing attackers to upload arbitrary files, including web shells, to the server. SAP assigned the vulnerability a CVSS score of 10.0, highlighting the ease of exploitation and potential for full system compromise.
This pre-disclosure exploitation was uncovered during an incident response led by OP Innovate for a major global enterprise. The investigation revealed communication with known Cobalt Strike C2 infrastructure and IP addresses directly linked to Qilin. While recent reports have pointed to China-linked APT groups exploiting the vulnerability, the discovery of Qilin's involvement suggests a broader range of threat actors are actively targeting this flaw. The ease of exploiting CVE-2025-31324, requiring no authentication and exposing the attack surface via standard HTTP(S), makes it particularly dangerous for commonly deployed enterprise SAP environments. Security researchers are urging SAP administrators to patch immediately to prevent falling victim to CVE-2025-31324. The vulnerability, which allows unauthenticated file uploads and remote code execution (RCE), is being actively exploited in mass attacks. It hit the security world "like a tsunami," with potentially severe consequences for affected organizations. SOC Prime Platform has also released Sigma rules to help detect exploitation attempts linked to Chinese APT groups that target critical infrastructure.
Share:
References :
Classification:
Field Effect@Blog
//
Russian Ransomware-as-a-Service (RaaS) group Qilin exploited a critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day flaw, an unauthenticated file upload vulnerability, allowed attackers to gain remote code execution in affected enterprise environments across the globe. The vulnerability affects SAP NetWeaver Visual Composer, a component commonly deployed in large enterprise environments. The flaw lies in the `/developmentserver/metadatauploader` endpoint, which fails to properly enforce authentication and authorization, which allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server with ease.
SAP assigned CVE-2025-31324 a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise. The vulnerability's accessibility, requiring no authentication and being exposed via standard HTTP(S), made it especially dangerous. OP Innovate discovered the active exploitation of CVE-2025-31324 during an incident response engagement for a major global enterprise, finding evidence of exploitation nearly three weeks before the vulnerability was publicly disclosed. OP Innovate's investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed, and the second shortly after. While recent articles pointed to China-Linked APTs, OP Innovate identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin. Organizations using SAP NetWeaver are urged to apply the necessary patches and monitor for potential exploitation attempts to mitigate risks and prevent further breaches.
Share:
References :
Classification:
Rescana@Rescana
//
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.
Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts. The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise.
Share:
References :
Classification:
|