Threat Brief: CVE-2025-31324

May 12, 2025, 7:17 a.m.

Description

CVE-2025-31324 is a critical vulnerability residing in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK). While not installed by default, business analysts commonly use this component to create applications without coding, making it widely present in SAP deployments. following the public disclosure of this vulnerability, PaloAlto saw a variety of attacks exploiting this vulnerability and attempting to send different payloads to the server.

Date

  • Created: May 12, 2025, 7:05 a.m.
  • Published: May 12, 2025, 7:05 a.m.
  • Modified: May 12, 2025, 7:17 a.m.

Indicators

  • df492597eb412c94155a7f437f593aed89cfec2f1f149eb65174c6201be69049
  • c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28
  • b9ef95ca541d3e05a6285411005f5fee15495251041f78e715234b09d019b92c
  • b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee
  • 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d
  • 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef
  • 7aab6ec707988ff3eec37f670b6bb0e0ddd02cc0093ead78eb714abded4d4a79
  • 6c6c984727dc53af110ed08ec8b15092facb924c8ad62e86ec76b52a00a41a40
  • 5a8ddc779dcf124fe5692d15be44346fb6d742322acb0eb3c6b4e90f581c5f9e
  • 69bb809b3fee09ed3ec9138f7566cc867bd6f1e8949b5e3daff21d451c533d75
  • 598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0
  • 5919f2eab8a826d7ba84e6c413626f5d11ed412d7df0d3ab864f31d3a8db3763
  • 4b17beee8c2d94cf8e40efc100651d70d046f5c14a027cf97d845dc839e423f9
  • 427877aadd89f427e1815007998d9bb88309c548951a92a6e4064df001e327c2
  • 3f5fd4b23126cb21d1007b479954af619a16b0963a51f45cc32a8611e8e845b5
  • 2e6f348f8296f4e062c397d2f3708ca6fdeab2c71edfd130b2ca4c935e53c0d3
  • 1abf922a8228fd439a72cfddf1ed08ea09b59eaa4ae5eeba1d322d5f3e3c97e8
  • 85.106.113.168
  • 65.49.235.210
  • 47.97.42.177
  • 45.76.93.60
  • 31.192.107.157
  • 192.3.153.18
  • 158.247.224.100
  • 138.68.61.82
  • 108.171.195.163
  • 107.173.135.116
  • 103.207.14.195
  • 101.99.91.107
  • 101.32.26.154
  • 223.184.254.150
  • 206.188.197.52
  • 101.32.26.15
  • 51.79.66.183
  • 205.169.39.55
  • https://overseas-recognized-athens-oakland.trycloudflare.com/v2.js
  • http://65.49.235.210/download/2.jpg
  • http://47.97.42.177:3232
  • http://31.192.107.157:38205/ReportQueue.exe
  • http://138.68.61.82/4544
  • http://108.171.195.163:8000/$FILE_NAME$.txt
  • http://158.247.224.100:38205/EACA38DB.tmp
  • http://101.32.26.154/rymhNszS/ansgdhs.bat
  • overseas-recognized-athens-oakland.trycloudflare.com

Attack Patterns

Linked vulnerabilities