Critical vulnerability disclosed in SAP NetWeaver (CVE-2025-31324)

Summary

Cyble's Security Update Advisory provides a synopsis of the latest vulnerability patches released by various vendors. This advisory discusses a recently disclosed critical vulnerability impacting SAP NetWeaver.

Based on naming standards followed by Common Vulnerabilities and Exposures (CVE) and severity standards as defined by the Common Vulnerability Scoring System (CVSS), vulnerabilities are classified as high, medium, and low.

Vulnerability Details

Unrestricted Upload of File with Dangerous Type

CVE-2025-31324

CVSSv3.1

10

Severity

Critical
Vulnerable Versions

SAP NetWeaver 7.xx

Description

Certain versions of SAP NetWeaver are vulnerable due to a missing authorization check in the Visual Composer’s Metadata Uploader component. This flaw allows unauthenticated attackers to exploit the /developmentserver/metadatauploader endpoint by sending specially crafted POST requests, leading to unrestricted malicious file uploads

Additional Information

In April 2025, ReliaQuest analyzed several customer incidents involving SAP NetWeaver, where attackers carried out unauthorized file uploads and executed malicious files. The investigation revealed that attackers had placed “JSP webshells” in publicly accessible directories, resembling the behavior typically seen in Remote File Inclusion (RFI) attacks. Although initially suspected to be an RFI vulnerability, it was ultimately identified as an unrestricted file upload flaw

ReliaQuest investigated the attacks after multiple customer environments were impacted this month and uncovered that the attackers had:

● Uploaded .jsp webshells (such as helper.jsp or cache.jsp) into the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory

● Executed the webshells by sending GET requests

● Leveraged the Brute Ratel tool alongside the Heaven’s Gate technique to establish command-and-control (C2) communications, carry out post-exploitation activities, and evade detection by endpoint security solutions.

ReliaQuest noted that in one case, there was a delay of several days between the initial compromise and follow-up actions, suggesting that the attacker may have been an initial access broker intending to sell access to other threat actors

Multiple Proof of Concepts (POC) and an online scanner for CVE-2025-31324 are available in the pubic domain.

Owners of the affected product are advised to utilize Cyble’s Odin scanner to check whether their asset is internet-facing.

SAP has issued guidance for identifying potential compromises in affected systems, outlined in SAP Note #3596125, which details the following steps:

Check the root of the following OS directories for the presence of ‘jsp’, ‘java’, or ‘class’ files.

● C:\usr\sap\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root

● C:\usr\sap\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work

● C:\usr\sap\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\ sync

The presence of these files is an indication that an attacker has leveraged the vulnerability to upload arbitrary files. The system should be considered compromised, and the appropriate incident response plan should be followed.

Mitigations

Restrict UDDI Service Access

● Configure firewalls and SAP Web Dispatcher rules to block external network access to /uddi/ URLs.

● Internal access should be limited to administration teams only.

Recommendations

Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately.

Implement a robust patch management process: Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

Incident response and recovery plan: Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

Monitoring and logging malicious activities across the network: Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

Conclusion

The critical vulnerability recently disclosed in SAP NetWeaver allows attackers to gain full access to the underlying SAP operating system, enabling them to shut down applications, deploy ransomware, and compromise the SAP database without restrictions. Attackers can also pivot from SAP systems to other internal resources due to their interconnected nature, amplifying the risk. With reports of active exploitation, public PoCs, and internet-exposed instances, urgent patching is strongly recommended to prevent major operational and data security impacts.