CVE-2025-31324 (CVSS 10): Zero-Day in SAP NetWeaver Exploited in the Wild to Deploy Webshells and C2 Frameworks

A critical zero-day vulnerability affecting SAP NetWeaver Visual Composer MetadataUploader, now tracked as CVE-2025-31324, is being actively exploited in the wild to compromise enterprise and government systems. With a maximum CVSS score of 10, the flaw allows unauthenticated attackers to upload and execute malicious binaries, granting them full control over vulnerable hosts.

The ReliaQuest Threat Research Team uncovered the vulnerability during incident response activities in April, where they investigated multiple SAP NetWeaver breaches.

“Attackers had uploaded ‘JSP webshells’ into publicly accessible directories,” ReliaQuest reported, “a move reminiscent of a remote file inclusion (RFI) vulnerability,” warns the report.

Despite many affected systems having the latest SAP service packs installed, attackers were able to bypass protections and abuse the /developmentserver/metadatauploader endpoint to upload malicious files. These files were then placed in the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory, where they could be executed remotely via simple GET requests.

Designed for uploading metadata files such as configurations or serialized objects, the vulnerable endpoint became a launchpad for exploitation. The attackers crafted malicious POST requests to deliver webshells like helper.jsp and cache.jsp, which were capable of executing system commands, uploading files, and retrieving command output—all through a lightweight web interface.

“This webshell gave attackers the tools to upload unauthorized files, seize deeper control of compromised systems, execute remote code at will, and potentially steal sensitive data,” states the report.

Once inside, attackers escalated their control using a mix of known and advanced techniques. ReliaQuest observed the use of:

• Brute Ratel – a powerful C2 framework used to inject malicious payloads into processes like dllhost.exe and maintain persistence.
• Heaven’s Gate – a stealthy memory manipulation technique that switches between 32-bit and 64-bit execution to evade detection.

“The use of the API call NtSetContextThread is central to this tactic, allowing manipulation of thread execution contexts,” the report noted.

Interestingly, in several cases, attackers delayed action for days after gaining initial access—leading researchers to speculate that the threat actors may be initial access brokers (IABs), who sell entry points to other malicious groups. While no direct evidence of webshell access sales was found, past posts on cybercrime forums show ongoing interest in SAP NetWeaver exploitation.

“Based on the available facts, we assess with high confidence that this involves the use of an unreported RFI issue against public SAP NetWeaver servers,” ReliaQuest concluded.

ReliaQuest recommends immediate auditing of any systems running SAP NetWeaver, especially those with publicly accessible interfaces. Detection rules have been provided by the team to identify malicious JSP uploads, Brute Ratel payloads, and memory manipulation attempts.

Related Posts:

• Novel Attack Uses Teams Phishing and Zero-Day TypeLib Hijacking
• CVE-2024-47578 (CVSS 9.1): SAP Issues Critical Patch for NetWeaver AS for JAVA
• Critical SAP Flaws Revealed: CVE-2025-0070 and CVE-2025-0066 with CVSS 9.9 Demand Immediate Action
• A total of 10 Security in SAP was patched
• Patchwork Group Expands Cyber Espionage with Advanced Tools