{"id":1982,"date":"2025-04-28T09:33:27","date_gmt":"2025-04-28T09:33:27","guid":{"rendered":"http:\/\/localhost\/?p=1982"},"modified":"2025-04-28T09:33:27","modified_gmt":"2025-04-28T09:33:27","slug":"active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=1982","title":{"rendered":"Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nActive exploitation of SAP NetWeaver Visual Composer CVE-2025-31324<\/td>\n<\/tr>\n
Type<\/th>\nrapid7blog<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-28T11:57:12<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-28T13:52:41<\/td>\n<\/tr>\n
CVSS Score<\/th>\n10.0 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2025-31324<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\ninfo<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ![Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324](https:\/\/blog.rapid7.com\/content\/images\/2025\/04\/emergent-threat-banner-1.jpeg)<\/p>\n

On Thursday, April 24, enterprise resource planning company SAP published a CVE (and a day later, an advisory behind login) for CVE-2025-31324, a zero-day vulnerability in NetWeaver Visual Composer that carries a CVSSv3 score of 10. The vulnerability arises from a missing authorization check in Visual Composer\u2019s Metadata Uploader component that, when successfully exploited, allows unauthenticated attackers to send specially crafted POST requests to the `\/developmentserver\/metadatauploader` endpoint, resulting in unrestricted malicious file upload.<\/p>\n

While the vulnerable component is not installed in NetWeaver\u2019s default configuration, SAP security firm Onapsis notes that it is widely enabled.<\/p>\n

Per SAP\u2019s docs, Visual Composer \u201coperates on top of the SAP NetWeaver Portal, utilizing the portal’s connector-framework interfaces to enable access to a range of data services, including SAP and third-party enterprise systems. In addition to accessing SAP Business Suite systems, users can access SAP NetWeaver Business Warehouse and any open\/JDBC stored procedures.\u201d<\/p>\n

## Rapid7-observed exploitation<\/p>\n

CVE-2025-31324 is being actively exploited in the wild; Rapid7 MDR has observed exploitation in multiple customer environments dating back to at least March 27, 2025, nearly all of which has targeted manufacturing companies. Adversaries have exploited the vulnerability to drop webshells in the following directory: `j2ee\/cluster\/apps\/sap.com\/irj\/servlet_jsp\/irj\/root\/`<\/p>\n

Public threat intelligence on CVE-2025-31324 exploitation has highlighted the use of webshells named `helper.jsp` and `cache.jsp`. With few exceptions (like `helper.jsp`), most webshells Rapid7 has observed had random 8-character names, e.g.:
\n`cglswdjp.jsp`
\n`ijoatvey.jsp`
\n`dkqgcoxe.jsp`
\n`ylgxcsem.jsp`
\n`cpyjljgo.jsp`
\n`tgmzqnty.jsp`<\/p>\n

Rapid7 has not attributed this activity to a specific threat actor at time of writing.<\/p>\n

## Mitigation guidance<\/p>\n

**All** SAP NetWeaver 7.xx versions and service packs (SPS) are affected.<\/p>\n

SAP\u2019s non-public guidance indicates that customers can check system info (http:\/\/host:port\/nwa\/sysinfo) for the Software Component VISUAL COMPOSER FRAMEWORK (`VCFRAMEWORK.SCA`). If this check returns no results, SAP has said the vulnerability is \u201cnot relevant for that system.\u201d<\/p>\n

Customers should update to the latest version of NetWeaver AS on an emergency basis, without waiting for a regular patch cycle to occur. **Note that updating to a fixed version of NetWeaver will not address pre-existing compromises.** Customers who are unable to update to a fixed version of the application should disable Visual Composer by following SAP\u2019s directions here.<\/p>\n

Customers should also restrict access to the affected endpoint (`\/developmentserver\/metadatauploader`) and investigate their environments for signs of compromise. SAP\u2019s non-public advisory notes that the \u201cmost common targets for an attacking agent\u201d are the following paths under the JAVA server file system \u2014 `jsp`, `java`, or `class` files present directly in these paths should be considered malicious: `C:\\usr\\sap\\\\\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root` `C:\\usr\\sap\\\\\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work` `C:\\usr\\sap\\\\\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work\\sync`<\/p>\n

For additional information and the latest guidance, please refer to SAP\u2019s non-public materials or contact SAP support.<\/p>\n

## Rapid7 customers<\/p>\n

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage.<\/p>\n

For InsightVM and Nexpose customers, our vulnerability coverage engineering team is investigating options to help customers assess exposure to this threat. We will update this blog no later than 3 PM ET on Monday, April 28 with additional information and delivery timelines.\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n10.0<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n