CVE-2025-31324: SAP Zero-Day Vulnerability Exploited by Hackers

CVE-2025-31324 Threat Overview

8 min read

Executive Summary

On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting SAP NetWeaver's Visual Composer Framework, version 7.50. This vulnerability allows unauthenticated users to upload arbitrary files, leading to potential remote code execution (RCE) and full system compromise by sending specially crafted HTTP requests to the /developmentserver/metadatauploader endpoint.

Attackers have exploited this vulnerability to deploy web shells such as helper.jsp and cache.jsp for persistent access and command execution. For SAP NetWeaver users, it is crucial to refer to official documentation and instructions from SAP for guidance. Palo Alto Networks customers receive protections through the Next-Generation Firewall, Cortex Xpanse, and Cortex XDR.

Details of CVE-2025-31324

CVE-2025-31324 affects the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK), which is commonly used by business analysts. The core issue is a missing authorization check in the Metadata Uploader, allowing unauthenticated users to upload files.

Exploitation Process

Unrestricted access: The /developmentserver/metadatauploader endpoint lacks proper authentication.
Malicious file upload: Attackers send crafted HTTP requests containing malicious files.
File system access: The server writes the uploaded file to accessible directories.
Web shell execution: Attackers can execute arbitrary commands using the uploaded web shell.
System compromise: Attackers gain control over the SAP system and data.

This critical vulnerability requires immediate attention and remediation.

Current Scope of Attacks Utilizing CVE-2025-31324

In late January 2025, suspicious HTTP requests targeting the /developmentserver/metadatauploader endpoint were observed. Following public disclosure, various attacks attempted to exploit this vulnerability to deploy JSP web shells.

Reconnaissance and Tool Deployment

Post-exploitation, attackers use reconnaissance commands to gather system information, such as:

cat /etc/hosts
ps -ef
netstat -tenp

Attackers primarily deploy web shells, including variants like ran.jsp and tools such as GOREVERSE for reverse shell capabilities.

Exploit Analysis

Onapsis has documented that exploitation began with reconnaissance from January 20, 2025, leading to successful web shell deployments by March 2025. The vulnerability's wide exposure is exacerbated by the inclusion of Visual Composer in default SAP installations.

Recommendations

Organizations are advised to:

Install the emergency patch from SAP.
Disable Visual Composer if not in use.
Monitor for suspicious activity and established web shells.

Indicators of Compromise

SAP recommends checking specific OS directories for indicators of compromise. The presence of files such as 'jsp', 'java', or 'class' in the following directories indicates potential exploitation:

C:\usr\sap<SID><InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
C:\usr\sap<SID><InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
C:\usr\sap<SID><InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync

Observed Tactics

The Onapsis Research Labs have mapped observed tactics to the MITRE ATT&CK Framework:

T1190 (Exploit Public-Facing Application)
T1505.003 (Server Software Component: Web Shell)

Conclusion

Organizations must act quickly to address CVE-2025-31324. GrackerAI, an AI-powered cybersecurity marketing platform, offers tools to help organizations transform security news into strategic content opportunities. By leveraging GrackerAI, marketing teams can stay ahead of emerging threats, monitor trends, and produce relevant content tailored for cybersecurity professionals.

Explore our services at GrackerAI or contact us for more information.