SAP NetWeaver Flaw Exploited: Threat Actors Deploy Web Shells and Brute Ratel

Security researchers at ReliaQuest uncovered active exploitation of a critical zero-day in SAP NetWeaver Visual Composer, tracked as CVE-2025-31324 (CVSS 10.0). Threat actors leveraged an unrestricted file upload issue in the /developmentserver/metadatauploader endpoint to install lightweight JSP web shells and ultimately deploy the Brute Ratel C4 post-exploitation framework for persistent espionage and network access ([ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver](https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/?utm_source=chatgpt.com), [New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com)).

Background on SAP NetWeaver and Visual Composer

SAP NetWeaver is a comprehensive application and integration platform used by thousands of enterprises and government agencies worldwide. Its Visual Composer component provides a web-based modeling environment to design SAP applications graphically. Despite its benefits, Visual Composer’s metadata uploader—responsible for accepting JavaServer Page (JSP) models—became the vector for this critical flaw due to a missing authorization check ([Critical SAP Vulnerability (CVE-2025-31324) Allows ... - LinkedIn](https://www.linkedin.com/pulse/critical-sap-vulnerability-cve-2025-31324-allows-unauthenticated-geysf?utm_source=chatgpt.com), [New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com)).

Discovery and Disclosure of CVE-2025-31324

On April 22, 2025, ReliaQuest published their threat analysis revealing unauthorized file uploads and JSP web shell deployments on fully-patched SAP NetWeaver servers ([ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver](https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/?utm_source=chatgpt.com)). Following coordinated disclosure, SAP released Security Note 3594142 on April 24, 2025, addressing the defect and urging immediate patching ([ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver](https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/?utm_source=chatgpt.com)).

Technical Analysis of the Vulnerability

The root cause lies in the MetadataUploader servlet within Visual Composer, which lacked proper authentication and authorization controls. An unauthenticated HTTP POST to /developmentserver/metadatauploader allowed attackers to upload arbitrary JSP files into servlet_jsp/irj/root/, effectively gaining remote code execution as the <SID>adm OS user ([New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com), [Critical SAP Vulnerability (CVE-2025-31324) Allows ... - LinkedIn](https://www.linkedin.com/pulse/critical-sap-vulnerability-cve-2025-31324-allows-unauthenticated-geysf?utm_source=chatgpt.com)).

Exploitation Techniques: Web Shells & Brute Ratel

Initial access was obtained by uploading a lightweight JSP web shell, which provided a foothold to stage further payloads. In several incidents, attackers deployed the Brute Ratel C4 framework—well known for its “Heaven’s Gate” technique to bypass endpoint protections—enabling full command execution, lateral movement, and data exfiltration ([New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com), [Active exploitation of SAP NetWeaver Visual Composer CVE-2025 ...](https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/?utm_source=chatgpt.com)).

Timeline of Exploitation

• Late March 2025: Rapid7 observed the first reports of unexplained JSP uploads on customer SAP NetWeaver hosts, dating exploitation to at least March 27, 2025 ([New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com), [Active exploitation of SAP NetWeaver Visual Composer CVE-2025 ...](https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/?utm_source=chatgpt.com)).
• April 22, 2025: ReliaQuest publishes details on unauthorized file uploads and web shells ([ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver](https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/?utm_source=chatgpt.com)).
• April 24, 2025: SAP issues patch (Security Note 3594142) for CVE-2025-31324 ([ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver](https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/?utm_source=chatgpt.com)).
• April 25–28, 2025: Multiple security vendors (Onapsis, Rapid7, DarkReading) confirm active in-the-wild exploitation ([SAP NetWeaver Visual Composer Flaw Under Active Exploitation](https://www.darkreading.com/cyberattacks-data-breaches/sap-netweaver-visual-composer-flaw-active-exploitation?utm_source=chatgpt.com), [Critical vulnerability in SAP NetWeaver under threat of active ...](https://www.cybersecuritydive.com/news/critical-vulnerability-sap-netweaver-exploitation/746383/?utm_source=chatgpt.com)).

Impact and Affected Versions

CVE-2025-31324 affects SAP NetWeaver 7.5x and 7.4x installations where Visual Composer’s metadata uploader component is enabled (not part of the default configuration but widely deployed) ([SAP NetWeaver Visual Composer Flaw Under Active Exploitation](https://www.darkreading.com/cyberattacks-data-breaches/sap-netweaver-visual-composer-flaw-active-exploitation?utm_source=chatgpt.com), [Active exploitation of SAP NetWeaver Visual Composer CVE-2025 ...](https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/?utm_source=chatgpt.com)). Given SAP’s prevalence in critical infrastructure and government environments, successful compromise can yield full database access, configuration theft, and persistent network footholds.

Indicators of Compromise (IoCs)

  • C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root\* (JSP web shell files) ([New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com))
  • C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\* (temporary staging files) ([New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com))
  • Nuclei templates for CVE-2025-31324: sapsrvr-metadatauploader-upload and sapsrvr-metadatauploader-exploit ([New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com))

Recommendations and Mitigations

1. Apply SAP Patch Immediately: Install Security Note 3594142 without delay to close the unrestricted file upload vector ([ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver](https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/?utm_source=chatgpt.com)).
2. Harden Metadata Uploader: Disable or firewall the /developmentserver/metadatauploader endpoint if Visual Composer is not actively used.
3. Implement Network Segmentation: Restrict SAP application servers to trusted management networks only.
4. Deploy Detection Rules: Monitor for suspicious HTTP POSTs to metadata uploader and unexpected JSP file creations—leverage YARA and SIEM rules based on published IOCs ([New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell ...](https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html?utm_source=chatgpt.com), [SAP NetWeaver Visual Composer Flaw Under Active Exploitation](https://www.darkreading.com/cyberattacks-data-breaches/sap-netweaver-visual-composer-flaw-active-exploitation?utm_source=chatgpt.com)).
5. Conduct Threat Hunts: Proactively search logs and file systems for legacy Indicators of Compromise and anomalous account activities.

The exploitation of CVE-2025-31324 underscores the critical importance of rapid patch management, proactive threat hunting, and rigorous network controls for SAP environments. By understanding the attack chain—from unrestricted file upload to Brute Ratel deployment—organizations can bolster their defenses and detect adversaries before they establish long-term persistence.

For more insights and updates on cybersecurity, AI advancements, and tech news, visit NorthernTribe Insider. Stay secure, NorthernTribe.

Comments

Post a Comment

Popular posts from this blog

Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement . "Mac and Linux hosts are not impacted. This is not a security incident or cyber attack." The company, which acknowledged "reports of [ Blue Screens of Death ] on Windows hosts," further said it has identified the issue and a fix has been deployed for its Falcon Sensor product, urging customers to refer to the support portal for the latest updates. For systems that have been already impacted by the problem, the mitigation instructions are listed below - Boot Windows in Safe Mode or Windows Recovery Environment Navigate to the C:\Windows\System32\drivers\CrowdStrike directory Find the file nam...
Read more

APT33 Expands Operations Targeting Aerospace, Satellite, and Energy Sectors Across the U.S., Europe, and Middle East

A renewed wave of cyber activity linked to the Iranian threat group APT33 has drawn attention to the increasing sophistication of state-aligned cyber operations targeting strategic industries worldwide. The group—also tracked under names such as Elfin, Refined Kitten, Magnallium, and Peach Sandstorm —has been associated with a series of campaigns affecting organizations in the aerospace, satellite, and energy sectors across the United States, Europe, and the Middle East . Unlike purely espionage-focused campaigns, recent operations attributed to APT33 appear to follow a dual-mandate strategy : collecting strategic intelligence while maintaining the capability to escalate into disruptive cyber activity if geopolitical conditions demand it. This blend of espionage and latent disruption reflects the evolving role of cyber operations as a strategic instrument of state power. APT33: A Long-Running Iranian Cyber Threat Actor APT33 is widely assessed by multiple threat intell...
Read more

Stealthy BITSLOTH Backdoor Exploits Windows BITS for Covert Communication

A newly discovered Windows backdoor, dubbed BITSLOTH, is making waves in the cybersecurity community for its cunning exploitation of the Background Intelligent Transfer Service (BITS) to facilitate stealthy communication. This advanced threat poses significant risks to organizations and individuals alike, highlighting the ever-evolving tactics of cybercriminals. Overview of BITSLOTH BITSLOTH leverages the legitimate Windows service BITS, which is typically used for background file transfers and updates, to establish a covert communication channel. Key features of this backdoor include: Stealthy Operations: By using BITS, BITSLOTH can blend in with normal network traffic, making it difficult for traditional security measures to detect its presence. Persistent Backdoor: Once installed, BITSLOTH creates a persistent backdoor that allows attackers to maintain long-term access to compromised systems. Data Exfiltration: The backdoor is capable of exfiltrating sensitive data from the targe...
Read more