Secure Cyber Vulnerability Management

29/04/2025
Qualys-Threat-Protect

SAP NetWeaver Zero-day Remote Code Execution Vulnerability (CVE-2025-31324)

by Deepanshu Jha

SAP released an out-of-band emergency update to address a remote code execution zero-day vulnerability impacting NetWeaver. Tracked a sCVE-2025-31324, the vulnerability has a critical severity rating with a CVSS score of 10. Threat actors are exploiting the vulnerability to hijack servers.

SAP NetWeaver is a technology platform from SAP that enables organizations to integrate various business processes, data, and applications into a unified system. It acts as a foundation for many SAP applications, including ERP and CRM, and facilitates the integration of data from different sources into a single SAP environment.

Vulnerability Details

The unauthenticated file upload vulnerability exists in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component. The vulnerability allows attackers to upload malicious executable files without logging in, leading to remote code execution and complete system compromise.

The vulnerability exists in the /developmentserver/metadatauploader endpoint that handles metadata files for application development and configuration in SAP applications within the NetWeaver environment. An attacker can use specially crafted POST requests to upload malicious JSP webshell files and write them to the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory. After that, these files could be executed remotely by a simple GET requests, giving attackers complete control and turning this endpoint into a launchpad for exploitation.

Affected Versions

The vulnerability affects SAP NetWeaver Visual Composer Framework version 7.50.

Mitigation

The vendor recommends users apply the latest patch.

For more information, please refer to the SAP Security Note 3594142.

Workaround

The vendor recommends the following actions for the users unable to upgrade to the latest patch:

  1. Restrict access to the /developmentserver/metadatauploader endpoint.
  2. If Visual Composer is not in use, consider turning it off entirely.
  3. Forward logs to SIEM and scan for unauthorized files in the servlet path.

Qualys Detection

Qualys customers can scan their devices with QID 732461 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://me.sap.com/notes/3594142

https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/

Comments are closed.

You may also like