Critical Vulnerability in SAP NetWeaver Visual Composer
Critical Vulnerability in SAP NetWeaver Visual Composer
Summary
ReliaQuest has identified and investigated active exploitation of a critical vulnerability in SAP NetWeaver Visual Composer, now tracked as CVE-2025-31324. This vulnerability, initially suspected to be a remote file inclusion (RFI) issue, has been confirmed by SAP as an unrestricted file upload vulnerability, allowing attackers to upload and execute arbitrary malicious files without authorization.
The vulnerability affects the /developmentserver/metadatauploader endpoint and has been exploited in the wild as early as mid-April 2025.
Affected Systems and/or Applications
- SAP NetWeaver systems using Visual Composer, particularly those exposing the /developmentserver/metadatauploader endpoint.
- Systems are vulnerable even if the latest service packs and updates were applied prior to SAP’s April 24 patch.
Technical Details
The vulnerability lies in the SAP NetWeaver Visual Composer component, specifically in the
/developmentserver/metadatauploader endpoint. This endpoint, intended for importing metadata files during application development, lacks proper access control and input sanitization. As a result, it allows unauthenticated attackers to upload arbitrary files — including malicious JSP webshells.
Exploitation Process
- Step 1: Malicious Upload – Attackers issue crafted HTTP POST requests to the metadatauploader endpoint, embedding JSP-based webshells as file payloads. These uploads are not blocked or sanitized by the application.
- Step 2: File Placement – Uploaded files are written directly to the following publicly accessible path:/j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/
This path is served by the SAP NetWeaver application server, meaning files placed here can be executed remotely via standard GET requests in a browser. - Step 3: Remote Command Execution The JSP webshells contain Java code that parses command input from HTTP requests, executes them on the underlying OS using Java’s Runtime.getRuntime().exec(), and returns the output in the browser. This gives the attacker full remote code execution (RCE) on the server.
Post-Exploitation Tactics
- Brute Ratel C2 Deployment
Attackers used the webshell to:- Write encoded C# payloads to disk (e.g., output.txt)
- Move the file into trusted directories (e.g., C:\ProgramData\)
- Compile and execute it via MSBuild.exe, the .NET Framework’s native build tool
This allowed them to download and execute Brute Ratel, a commercial red-teaming toolkit, to establish persistent C2 access.
- Memory Evasion via Heaven’s Gate Observed activity also included Heaven’s Gate, a technique that switches execution context from 32-bit to 64-bit mode to evade EDR detection. This was evident through usage of NtSetContextThread and other low-level syscall manipulation.
Indicators of Compromise (IOCs)
Mitigation & Recommendations
Immediate Actions
- Apply the Patch:
Install SAP’s official patch for CVE-2025-31324 as soon as possible. Customers can access the patch notes through SAP support channels. - Disable Visual Composer:
SAP Visual Composer is deprecated and should be disabled via filters in SAP NetWeaver. - Restrict Access to Development Server:
Disable the application alias developmentserver and enforce firewall rules to block external access to this endpoint. - Review Webshell Paths:
Inspect the path: j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/
Remove any unauthorized .jsp files and verify logs for suspicious upload or execution activity
What the Cyber Fusion Center is Doing
The CFC will continue to monitor the situation and send an advisory update if needed. Immediate action is required to mitigate potential exploitation by applying patches, restricting access, and enhancing security monitoring.
Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
References
- SAP Zero-Day Possibly Exploited by Initial Access Broker – SecurityWeek
- SAP Security Patch Day – April 2025
- ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver
.webp)
