Summary: A new vulnerability in SAP NetWeaver, tracked as CVE-2025-31324, is being exploited by threat actors to upload JSP web shells, allowing unauthorized file uploads and code execution. This flaw stems from a weakly secured metadata uploader endpoint which poses significant risks, particularly to government and enterprise systems using SAP solutions. ReliaQuest’s investigation indicates the potential for a zero-day exploit, as many compromised systems were fully patched.
Affected: SAP NetWeaver
Keypoints :
- Exploitation linked to either CVE-2017-9844 or an unreported RFI issue.
- The vulnerability allows for persistent remote access and the execution of malicious payloads.
- Threat actors are employing advanced techniques such as Brute Ratel C4 and Heaven’s Gate for bypassing protections.
- Potential involvement of initial access brokers selling access to compromised systems.
- Critical need for prompt application of security patches to mitigate risk.
- The vulnerability may be tied to another high-severity flaw, enabling unauthorized file uploads.
Source: https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html