New Critical Vulnerability Uncovered in SAP NetWeaver

April 28, 2025, 6:50 p.m.

Description

A critical vulnerability in SAP NetWeaver Visual Composer, identified as CVE-2025-31324 with a severity score of 10, allows unauthorized file uploads and execution of malicious files. Initially suspected as a remote file inclusion issue, it was confirmed to be an unrestricted file upload vulnerability. Attackers exploited this vulnerability to upload JSP webshells, gaining remote control and executing arbitrary commands. The exploitation involved abusing the /developmentserver/metadatauploader endpoint. Attackers used sophisticated tools like Brute Ratel and the Heaven's Gate technique for command-and-control and evasion. SAP released a patch to address this vulnerability, which is strongly recommended to be applied immediately.

Date

  • Created: April 28, 2025, 4:27 p.m.
  • Published: April 28, 2025, 4:27 p.m.
  • Modified: April 28, 2025, 6:50 p.m.

Indicators

  • 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
  • 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087

Attack Patterns

  • Brute Ratel

Additional Informations

  • Technology
  • Government