Executive Summary
On April 24, 2025, SAP announced a severe vulnerability, designated CVE-2025-31324, with a CVSS score of 10.0, impacting the Visual Composer Framework in SAP NetWeaver version 7.50. This document outlines the vulnerability’s nature, implications, and observations from incident response services. The flaw allows unauthenticated users to upload arbitrary files to the SAP application server, potentially enabling remote code execution (RCE) and complete system compromise. Attackers have exploited this vulnerability to deploy web shells (like helper.jsp and cache.jsp) for persistent access and command execution, risking the security of affected systems.
Details of CVE-2025-31324
CVE-2025-31324 arises from an authentication oversight in the Metadata Uploader located at the /developmentserver/metadatauploader endpoint. While not installed by default, this component is frequently integrated into SAP systems by business analysts for application creation without coding.
The vulnerability can be exploited through several key steps:
- Unrestricted Access: The vulnerable endpoint is exposed via HTTP/HTTPS without necessary authentication.
- Malicious File Upload: Attackers can send modified HTTP requests to upload harmful files to the server.
- File System Access: The server, lacking proper checks, writes these files to accessible directories.
- Web Shell Execution: If a web shell like a JSP file is uploaded, attackers can access it via a browser, executing commands as the SAP server process.
- System Compromise: By executing commands as a system administrator, attackers could gain control over the SAP system, leading to various malicious activities.
Attack Patterns and Response
Observations reveal that suspicious HTTP requests targeting the /developmentserver/metadatauploader endpoint began around January 2025, indicating preemptive testing of the vulnerability. Subsequent successful exploits led to the deployment of JSP web shells from mid-March 2025. Following public disclosure, both automated and manual attempts to exploit this vulnerability escalated.
Post-Compromise Activities:
- Reconnaissance: Attackers executed a myriad of commands (e.g.,
cat /etc/hosts,ps -ef, andnetstat -tenp) to gather information about the compromised systems and network. - Tool Deployment: Web shells were the primary mechanism for maintaining access. Attackers deployed various JSP files, with one notable example,
ran.jsp, allowing the execution of commands through specified parameters.
Moreover, reverse shell tools such as GOREVERSE were implemented. GOREVERSE facilitates reverse shell management, SSH connections, and file transfers, raising the complexity of the attacks.
Conclusion
Given the vulnerability’s exploitability and potential consequences, immediate action is critical. SAP NetWeaver users must consult SAP’s official documentation to mitigate risks. Palo Alto Networks will continue to monitor exploitation activities linked to this vulnerability and provide updates.
Protection Measures
Palo Alto Networks clients can benefit from several protective measures, including:
- Next-Generation Firewall Security: With the Advanced Threat Prevention subscription, clients can obstruct attempts to exploit CVE-2025-31324.
- Cortex Xpanse: This tool enables the detection of internet-exposed SAP applications and alerts organizations about risks.
- Cloud-Delivered Security Services: All domains and IP addresses associated with malicious activities are categorized as malicious.
Call to Action
If there’s suspicion of a compromise, organizations are urged to reach out to Palo Alto Networks’ Unit 42 Incident Response team for urgent assistance. The opportunity exists for collaboration with the Cyber Threat Alliance members to deploy timely protective measures against this vulnerability.
Contact Information for Unit 42:
- North America: +1 (866) 486-4842
- UK: +44.20.3743.3660
- Europe: +31.20.299.3130
- Asia: +65.6983.8730
- Japan: +81.50.1790.0200
- Australia: +61.2.4062.7950
- India: 00080005045107
Continued vigilance and prompt action are necessary to safeguard against threats exploiting CVE-2025-31324.