CVE-2025-31324 is a critical vulnerability in SAP NetWeaver Visual Composer that allows unauthorized remote code execution via arbitrary file uploads. Multiple threat actors, including Chinese APT groups and ransomware gangs, have actively exploited this flaw, while Darktrace has demonstrated early detection and containment of associated attacks. #CVE202531324 #SAPNetWeaver #KrustyLoader #UNC5221 #JuicyPotato
Keypoints
- CVE-2025-31324 affects SAP NetWeaver Visual Composer Framework 7.1x and above, enabling unauthenticated attackers to upload malicious files and execute remote code.
- The vulnerability arises from improper authentication and authorization checks in the SAP NetWeaver Application Server Java systems’ Java Servlet endpoint.
- Exploit attempts began reconnaissance in January 2025, with confirmed compromises reported by March, involving multiple threat actors including Chinese APT groups Chaya_004, UNC5221, UNC5174, and ransomware groups like RansomEXX and BianLian.
- Darktrace detected exploitation activity prior to public disclosure, including suspicious domain resolutions to OAST domains and downloads of KrustyLoader malware linked to UNC5221.
- KrustyLoader acts as an initial-stage loader deploying Sliver C2, a post-exploitation toolkit, and is associated with several Chinese APT campaigns on SAP NetWeaver systems.
- Darktrace’s Autonomous Response capability contained attacks by blocking suspicious IP connections and detecting privilege escalation tool downloads such as JuicyPotato/SweetPotato linked to the Gelsemium APT group.
- SAP released a workaround on April 8, 2025, and a full patch on May 13, 2025, addressing the root cause of the vulnerability.
MITRE Techniques
- [T1588.001] Malware – Resource Development – Used for initial-stage malware deployment, as KrustyLoader is loaded to establish foothold (‘…associated with the KrustyLoader malware…’).
- [T1059.001] PowerShell – Execution – Used in executing commands post-exploitation indicated by anomalous PowerShell user agent activity (‘…New PowerShell User Agent…’).
- [T1189] Drive-by Compromise – Initial Access – Exploitation of the SAP NetWeaver vulnerability via crafted HTTP requests to upload malicious files (‘…sending specifically crafted GET, POST, or HEAD HTTP requests…’).
- [T1105] Ingress Tool Transfer – Command and Control – Attackers download malware components from external sources such as Amazon S3 buckets (‘…downloading multiple executable (.exe) files from several Amazon Simple Storage Service (S3)…’).
- [T1071] Application Layer Protocol – Command and Control – Use of HTTP/HTTPS protocols for communication and download of malware payloads (‘…using either HTTP or HTTPS…’).
- [T1210] Exploitation of Remote Services – Lateral Movement – Exploit of SAP NetWeaver Remote Services for initial compromise and potential lateral movement (‘…vulnerability in a Java Servlet…enabling remote code execution…’).
- [T1048.003] Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol – Exfiltration – Indicators show activity involving unusual data transmissions and domain requests for validation (‘…making DNS requests for OAST domains suggesting exploit validation…’).
Indicators of Compromise
- [IP Address] Suspicious external endpoint involved in privilege escalation tool download – 23.95.123[.]5
- [File Hash – SHA-1] JuicyPotato/SweetPotato privilege escalation tool – e007edd4688c5f94a714fee036590a11684d6a3a
- [File Hash – SHA-256] KrustyLoader malware samples – 1d26fff4232bc64f9ab3c2b09281d932dd6afb84a24f32d772d3f7bc23d99c60, b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8, and others
- [Domains/URLs] Amazon S3 URLs used for malware delivery – abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/nVW2lsYsYnv58, applr-malbbal.s3.ap-northeast-2.amazonaws[.]com/7p3ow2ZH, beansdeals-static.s3.amazonaws[.]com/UsjKy, plus several others linked to KrustyLoader
- [URL] Privilege escalation tool download URL – hxxp://23.95.123[.]5:666/xmrigCCall/s.exe
- [File Hash – MD5] KrustyLoader and JuicyPotato samples – 29274ca90e6dcf5ae4762739fcbadf01, 83a797e5b47ce6e89440c47f6e33fa08, and others