Threat Brief: CVE-2025-31324

Executive Summary

On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry.

This vulnerability allows unauthenticated users to upload arbitrary files to an SAP NetWeaver application server, leading to potential remote code execution (RCE) and full system compromise. Exploitation is achieved by sending specially crafted HTTP requests to the /developmentserver/metadatauploader endpoint. We have observed attackers leveraging this vulnerability to deploy web shells (e.g., helper.jsp and cache.jsp) for persistent access and subsequent command execution.

In our incident response cases and telemetry, we observed attackers exploiting this vulnerability to deploy, for example, reverse shell tools and a reverse SSH SOCKS proxy using a variety of network infrastructure.

We recommend that users of SAP NetWeaver refer to official documentation and instructions from SAP for guidance.

Palo Alto Networks customers receive protections from and mitigations for CVE-2025-31324 in the following ways:

• The Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block attacks using best practices via Threat Prevention signature 96181.
• Cortex Xpanse has the ability to identify internet-exposed SAP NetWeaver applications, including version information, on the public internet and escalate these findings to defenders. These findings are also available for Cortex XSIAM customers who have purchased the ASM module.
• Advanced URL Filtering and Advanced DNS Security identify known domains and IP addresses associated with this activity as malicious.

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Details of CVE-2025-31324

CVE-2025-31324 is a critical vulnerability residing in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK). While not installed by default, business analysts commonly use this component to create applications without coding, making it widely present in SAP deployments.

The core issue with this vulnerability is a missing authorization check in the Metadata Uploader, accessible via the /developmentserver/metadatauploader endpoint. This means that any user, even unauthenticated ones, can interact with this endpoint and upload arbitrary files to the server.

Here's a breakdown of how the vulnerability works:

Unrestricted access: The /developmentserver/metadatauploader endpoint is exposed over HTTP/HTTPS and lacks proper authentication or authorization controls.

Malicious file upload: An attacker can send a specially crafted HTTP request to the vulnerable endpoint, containing a malicious file as the request body.

File system access: Due to the missing authorization check, the server accepts the attacker's request and writes the uploaded file to the server's file system. The file is often written to a location within the web application's accessible directories (e.g., under /irj/servlet_jsp/irj/root/).

Web shell execution (common scenario): If the attacker uploads a web shell like a Java server page (JSP) file, the attacker can then access the web shell via a web browser. Now residing on the server, this web shell allows an attacker to execute arbitrary operating system commands with the privileges of the SAP application server process.

System compromise: With the ability to execute commands as an SAP system administrator (system account name: sidadm), an attacker effectively gains control of the SAP system and its associated data. The attacker can then perform various malicious activities.

CVE-2025-31324 allows attackers to bypass security controls and directly upload and execute malicious files on vulnerable SAP servers, potentially leading to complete system compromise. The ease of exploitation (no authentication required) and the possibility for high impact make this a critical vulnerability that requires immediate attention and remediation.

Current Scope of Attacks Utilizing CVE-2025-31324

In line with industry observations, we saw suspicious HTTP requests to the /developmentserver/metadatauploader endpoint on SAP NetWeaver systems in late January 2025 that were likely testing this vulnerability before its disclosure. Following a lull in activity, a threat actor exploited this vulnerability starting in mid-March 2025 to deploy JSP web shells, with names such as cache.jsp and help.jsp.

Unsurprisingly, following the public disclosure of this vulnerability, we saw a variety of attacks exploiting this vulnerability and attempting to send different payloads to the server.

We observed two stages of post-compromise activity:

• Reconnaissance
• Tool deployment

Reconnaissance

Following a successful exploit and initial web shell, attackers have used a variety of common reconnaissance commands to gather information about the compromised systems and the surrounding network. Commands observed during intrusions include:

• cat /etc/hosts
• cat /etc/resolv.conf
• cat ~/.bash_history
• cat /etc/issue
• crontab -l
• ps -ef
• df -a
• last -n 30
• netstat -tenp
• nltest /domain
• uname -a
• ls /mnt
• ls /var
• ls /opt

Tool Deployment

The majority of initial post-exploitation activity centered around the deployment and use of web shells. While above we noted web shells named helper.jsp and cache.jsp, attackers also deployed other JSP files for web shells.

One such sample is named ran.jsp, shown in Figure 1. This is a simple JSP file capable of executing commands sent as the cmd parameter. The results of these commands are returned as HTML text, if the correct key parameter is supplied.

GOREVERSE

We have also observed attackers deploying other reverse shell tools with the filename config. These include a publicly available tool that Google calls GOREVERSE. Based on the project's GitHub page, GOREVERSE has the following capabilities:

• Managing and connecting to reverse shells with native SSH syntax
• Dynamic, local and remote forwarding
• Native SCP and SFTP implementations for retrieving files from the targets
• Full Windows shell
• Multiple network transports, such as HTTP, web sockets and TLS
• Mutual client and server authentication to create high-trust control channels

The sample we observed was a 64-bit ELF binary that was obfuscated using another open-source tool called Garble. In this instance, the threat actor first downloaded a shell script config.sh to the compromised SAP server using the initial helper.jsp webshell. The shell script was downloaded from ocr-freespace.oss-cn-beijing.aliyuncs[.]com and is shown below in Figure 2.

This GOREVERSE sample uses a hard-coded C2 address and port number of 47.97.42[.]177:3232. The IP address 47.97.42[.]177 has also been associated with malware based on the open-source tool SUPERSHELL. Further analysis of CVE-2025-31324 exploitation activity involving this IP address (including potential attribution to a threat actor likely based in China) has been highlighted in reporting by Forescout.

Reverse SSH SOCKS Proxy

We observed an attacker execute the following PowerShell command to download a suspicious payload as shown in Figure 3.

The domain pages[.]dev is used by a legitimate Cloudflare service that can deploy websites. In this example, d-69b.pages[.]dev hosted a Base64-encoded PowerShell script. The decoded script performs several actions:

• Retrieves the compromised system’s domain name and username, which an attacker uses to name a private key
• Kills any running ssh.exe and sshd.exe processes
• Creates temporary directories to download and store OpenSSH files from GitHub
• Generates SSH keys, and uploads the local private key to the attacker’s hard-coded C2 server 45.76.93[.]60
• Uses ssh.exe to establish a remote tunnel to the C2 server.

Conclusion

Based on the ease of exploiting the vulnerability and potential for high impact, we recommend taking steps to protect your organization. We recommend that users of SAP NetWeaver refer to official documentation and instructions from SAP for guidance.

Unit 42 will continue to monitor exploitation of this vulnerability and update this threat brief as appropriate.

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Palo Alto Networks Product Protections for CVE-2025-31324

Palo Alto Networks customers are better protected by our products, as listed below.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 00080005045107

Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention

Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block attempted exploitation of CVE-2025-31324 via the following Threat Prevention signature: 96181.

Cortex Xpanse

Cortex Xpanse has the ability to identify internet-exposed SAP NetWeaver applications, including version information, on the public internet and escalate these findings to defenders. Customers can enable alerting on this risk by ensuring that the “SAP NetWeaver Application Server” Attack Surface Rule is enabled.

Additionally, an Attack Surface Test named "SAP NetWeaver Visual Composer Metadata Uploader Arbitrary File Upload Vulnerability" is available, which can be run against exposed applications to provide confirmation of exploitability for this vulnerability.

These findings are also available for Cortex XSIAM customers who have purchased the ASM module.

Cloud-Delivered Security Services for the Next-Generation Firewall

Domains and IP addresses associated with this malicious activity are categorized as malicious by Advanced URL Filtering and Advanced DNS Security.

Indicators of Compromise