ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver

SAP was made aware of a vulnerability in SAP NETWEAVER Visual Composer, which may have allowed unauthenticated and unauthorized code execution in a certain Java Servlet. A security patch was released on April 24, 2025. Customers were recommended to apply the patch immediately.

Security Note 3594142

https://www.cve.org/CVERecord?id=CVE-2025-31324

Update May 14, 2025

Since our initial disclosure of CVE-2025-31324, recent reports have attributed aspects of the attack chain to China-linked threat actors, adding new dimensions to the investigation.

However, continued analysis has uncovered evidence suggesting involvement from the Russian ransomware group “BianLian” and the operators of the “RansomEXX” ransomware family (tracked by Microsoft as “Storm-2460”). These findings reveal widespread interest in exploiting this vulnerability across multiple threat groups.

Tracing BianLian Through Proxy Servers

We assess with moderate confidence that BianLian was involved in at least one incident. We identified a server at 184[.]174[.]96[.]74 hosting reverse proxy services initiated by the rs64.exe executable. This server is related to another IP, 184[.]174[.]96[.]70, operated by the same hosting provider. The second IP had previously been flagged as a command-and-control (C2) server associated with BianLian, sharing identical certificates and ports.

RansomEXX’s Use of PipeMagic

In a separate incident, we observed the deployment of “PipeMagic,” a modular backdoor linked to RansomEXX. Delivered through MSBuild abuse, PipeMagic uses the EnumCalendarA API callback methodology, with sandbox analysis confirming beaconing to aaaaabbbbbbb[.]eastus[.]cloudapp[.]azure[.]com, a domain tied to both PipeMagic and RansomEXX.

The malware was deployed just hours after global exploitation involving the helper.jsp and cache.jsp webshells. Although the initial attempt failed, a subsequent attack involved the deployment of the Brute Ratel C2 framework using inline MSBuild task execution. During this activity, a dllhost.exe process was spawned, signaling potential exploitation of the CLFS vulnerability (CVE-2025-29824), which the group had previously exploited, with this indicating a new attempt to exploit it via inline assembly.

Successful exploitation of this vulnerability produces a .blf file. However, the file was not observed in this instance, leading to another unsuccessful exploitation attempt. These tactics closely align with RansomEXX’s known behavior in previous campaigns, where PipeMagic has been used for privilege escalation and post-exploitation activities.

Multiple Actors, One Vulnerability

CVE-2025-31324 has emerged as a high-value target for threat actors, with multiple groups pursuing opportunistic attacks, likely aiming to deploy ransomware or gain access to sensitive enterprise systems for extortion.

The involvement of groups like BianLian and RansomEXX reflects the growing interest in weaponizing high-profile vulnerabilities for financial gain. These developments emphasize the urgent need for organizations to immediately apply patches, monitor suspicious activity, and strengthen defenses.

Update May 2, 2025

We're actively monitoring and gathering IOCs related to CVE-2025-31324, and we have added new IOCs to the list below, which we will continue to update as more information becomes available.

In SAP's private advisory, they recommend that customers check affected directories not only for JSP files but also for Java or class files. Please treat any JSP, Java, or class files found in the directories in our updated IoC list as potentially malicious.

As ReliaQuest continues our investigations into CVE-2025-31324, we've observed that these webshells are not confined to helper.jsp or cache.jsp; randomly named JSP files like rrx.jsp and dyceorp.jsp can also be found within NetWeaver directories.

Update April 25, 2025

On April 22, 2025, ReliaQuest published details of our investigation into exploitation activity targeting SAP NetWeaver systems that could enable unauthorized file uploads and execution of malicious files. On April 24, 2025, SAP disclosed "CVE-2025-31324," a critical vulnerability in SAP NetWeaver Visual Composer with the highest severity score of 10.

This vulnerability, which we identified during our investigation published on April 22, 2025, was initially suspected to be a remote file inclusion (RFI) issue. However, SAP later confirmed it as an unrestricted file upload vulnerability, allowing attackers to upload malicious files directly to the system without authorization.

ReliaQuest notified SAP of our investigation into this vulnerability. Acknowledging our intelligence, SAP released a patch for this vulnerability. SAP customers can review the notes for this patch here. We strongly recommend updating SAP NetWeaver to the latest version to mitigate this vulnerability.

ReliaQuest took several proactive steps prior to the disclosure of this critical vulnerability:

• We proactively created and deployed a detection mechanism to help customers identify and mitigate potential exploitation attempts. This detection specifically targets suspicious JSP files being written to the path "j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/," which could indicate the upload of a malicious webshell.

• We are currently modifying existing rules for additional visibility into post exploitation activity.

• We have conducted investigations and initiated proactive threat hunts on behalf of customers.

• We continue to track tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs), to enhance detection and response capabilities.

Published on April 22, 2025

Key Points

• On April 22, 2025, ReliaQuest published an investigation into exploitation activity targeting SAP NetWeaver systems, uncovering a critical vulnerability later identified by SAP as "CVE-2025-31324" with a severity score of 10.

• Initially suspected as a remote file inclusion issue, it was confirmed to be an unrestricted file upload vulnerability, and SAP subsequently released a patch to address it, which we strongly recommend applying.

• SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers.

• ReliaQuest notified SAP of our investigation into this vulnerability. Acknowledging our intelligence, SAP released a patch for this vulnerability, which we strongly recommend applying.

• Prior to the disclosure of this critical vulnerability, ReliaQuest implemented a new detection mechanism to identify exploitation attempts. We have subsequently enhanced visibility rules and conducted threat hunts to further defend customers.

In April 2025, ReliaQuest investigated multiple customer incidents, affecting the technology integration platform SAP NetWeaver, that involved unauthorized file uploads and the execution of malicious files. We discovered that attackers had uploaded “JSP webshells” into publicly accessible directories, a move reminiscent of a remote file inclusion (RFI) vulnerability. Several affected systems were already running the latest SAP service pack and had applied patches.

This raised serious questions: Were attackers exploiting an old vulnerability (CVE-2017-9844), or was this a sign of an unreported RFI issue within SAP systems?

SAP's solutions are likely an attractive target for threat actors for two key reasons.

1. They are often used by government agencies, meaning that successful compromise of SAP vulnerabilities is likely to facilitate access to government-related networks and information.

2. As SAP solutions are often deployed on-premises, security measures for these systems are left to users; updates and patches that are not applied promptly are likely to expose these systems to greater risk of compromise.

Key Points

• Attackers targeted SAP NetWeaver systems, leveraging JSP webshells to enable unauthorized file uploads and code execution.

• The exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue.

• Attackers employed tools like Brute Ratel and Heaven’s Gate for execution and evasion.

• SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers.

• ReliaQuest detection rules can help identity this malicious activity.

In this report, we uncover the technical nuances and potential implications of this exploitation. Here’s what you’ll learn:

• Anatomy of the exploitation: A closer look at how attackers abused a specific endpoint to upload malicious JSP files.

• Insights into the attackers’ tactics, techniques, and procedures (TTPs), including their use of the “Brute Ratel” framework and the “Heaven’s Gate” technique.

• Practical recommendations for securing SAP NetWeaver systems.

From Metadata to Malicious: Abusing MetadataUploader

The vulnerability involved in these cases lies in the /developmentserver/metadatauploader endpoint, a feature designed to handle metadata files for application development and configuration in SAP applications within the NetWeaver environment. In theory, it’s supposed to streamline the transfer and processing of files like configuration data or serialized objects. But in the incidents we investigated, attackers found a way to exploit it. Via carefully crafted POST requests, the attackers uploaded malicious JSP webshell files and wrote them to the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory. Once there, these files could be executed remotely via simple GET requests, giving attackers full control and turning this endpoint into a launchpad for exploitation. Figure 1 shows the network traffic that results in the webshell being uploaded, which then allows for command execution.

Figure 1: Malicious POST and GET requests observed with JSP webshell

The NetWeaver Break-in

Our investigation revealed a troubling pattern, suggesting that adversaries are leveraging a known exploit and pairing it with a mix of evolving techniques to maximize their impact.

Remote Control Through JSP Webshells

In each instance of exploitation we observed, attackers planted the JSP webshell in the servlet_jsp/irj/root/ file path. While the names of the JSP files varied—examples include “helper.jsp” and “cache.jsp”—the files were similar in function, and many shared code from a publicly accessible GitHub repository that enables remote command execution and file uploads. Figure 2 shows a webshell that we identified with key characteristics highlighted.

Figure 2: Inside the JSP webshell

1. Imports Java packages to enable the webshell to execute commands and interact with system processes.

2. Creates an HTML form enabling the attacker to execute commands directly on the webpage.

3. Extracts the command from the HTTP request and executes it.

4. Captures the command output and displays it on the webpage.

The goal of the webshell was clear: Use the JSP file to send GET requests that would execute arbitrary commands. This webshell gave attackers the tools to upload unauthorized files, seize deeper control of compromised systems, execute remote code at will, and potentially steal sensitive data by placing it in publicly accessible directories. Its lightweight, highly compatible design made it the perfect weapon for maintaining persistence and fully exploiting the vulnerable systems.

Webshells and Memory Manipulation

While the initial access tactics largely remained the same for each incident, once the attacker had gained access, several different TTPs were used for command-and-control (C2) and persistence. In one instance, we identified the use of Brute Ratel and Heaven’s Gate. Brute Ratel is a sophisticated for-purchase C2 framework typically sold only to penetration testing teams, while Heaven’s Gate is a memory manipulation technique used to bypass endpoint protections.

Brute Ratel Beacon Upload

Leveraging the malicious webshell, attackers posted C# code to “output.txt” in a publicly accessible directory. The attackers then moved the file to the ProgramData directory on the server itself using the following commands:

Figure 3: Malicious command used to facilitate Brute Ratel download

Next, the attackers leveraged these files to compile code using .NET Frameworks MSBuild utility:

Figure 4: Command used to compile code

This code was subsequently used to retrieve Brute Ratel from an external server. The threat actor abused Brute Ratel to inject code into the Windows process “dllhost.exe,” allowing the attacker to load and decrypt malicious payload files in memory.

Brute Ratel Key Features:

• C2 Framework: Provides attackers or testers a way to maintain control over compromised systems via C2 communication, supporting encrypted channels.

• Payload Customization: Enables the creation of fully customizable payloads designed to bypass antivirus (AV) and endpoint detection and response (EDR) solutions.

• Post-Exploitation: Offers tools for privilege escalation, credential harvesting, lateral movement, and persistence after a system is compromised.

Heaven's Gate

The Heaven’s Gate technique allows the transition from a 32-bit mode to a 64-bit mode during execution, assisting evasion. Notably, specific syscalls were observed and flagged as Heaven’s Gate.

Figure 5: Heaven's Gate metadata

The use of the API call NtSetContextThread is central to this tactic, allowing manipulation of thread execution contexts to transition seamlessly between 32-bit and 64-bit code—a key feature of the Heaven’s Gate technique.

Tracing Initial Access

In one instance, we observed that it took several days for the attacker to move from initial access to performing follow-up actions. Based on this delay, we believe the attacker may be an initial access broker obtaining and selling access to other threat actors. Initial access brokers typically sell access to compromised organizations via methods such as VPN, RDP, or exploitation of vulnerabilities on cybercriminal forums.

We reviewed these forums for posts offering access to SAP NetWeaver servers via a webshell but found none. However, we did identify posts advertising access to SAP servers, although these likely involved compromised credentials rather than the exploitation of a vulnerability. Any discussions we found about SAP NetWeaver exploitation dated back to 2021. For example, at that time, one forum user mentioned gaining access by exploiting CVE-2020-6287 and CVE-2020-6207 and was seeking advice on next steps, such as selling the access. Although there’s no evidence the access was sold, SAP NetWeaver remains a topic of discussion, indicating that it continues to be targeted, as demonstrated in this case.

Figure 6: XSS forum member discusses access by exploiting NetWeaver SAP

Two Sides of the Same Coin: Unraveling What We Found

There are two possible explanations for what’s going on here: attackers are exploiting either a known vulnerability or a new, undisclosed vulnerability.

• There are distinct similarities between the activity we’ve observed and an old vulnerability in SAP NetWeaver. By exploiting CVE-2017-9844, remote attackers can cause a denial-of-service state on affected devices. There were rumblings that this vulnerability also allowed attackers to execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, which sounds familiar.

• The alternative is an unreported RFI issue in SAP systems. This is possible because patches were applied that would have mitigated CVE-2017-9844.

Based on the available facts, we assess with high confidence that this involves the use of an unreported RFI issue against public SAP NetWeaver servers. It currently unconfirmed whether this only impacts specific versions of NetWeaver; however, in the cases where these tactics were observed, the server had the most up-to-date patch.

Step Up Your Defenses

Update SAP Netweaver to the latest version. The patch notes can be viewed by SAP customers here.

If updates cannot be applied, the following mitigations can prevent files from being added to the file system. SAP NetWeaver customers can implement one of the workaround options below that best matches their system.

Your Action Plan

• Disable Visual Composer using filters within SAP NetWeaver. Visual Composer is a tool used for creating user interfaces for applications without traditional coding. However, Visual Composer has been deprecated since 2015 and is no longer supported. Therefore, it is recommended to disable it to mitigate the risk of exploitation.

• Disable the application alias “developmentserver” and configure firewall rules to restrict access to the development server application URL. This URL is targeted in the initial POST request of the exploit, and restricting access can help mitigate a successful attack.

• Forward SAP NetWeaver logs to a centralized system: Ensure SAP NetWeaver is configured to forward logs to a central monitoring platform, such as a SIEM. Centralized logging enables comprehensive visibility across the environment, aiding in the effective detection of suspicious activities and facilitating faster investigation of potential security incidents.

• Review for suspicious files by checking the path “j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/”. Any unauthorized files could indicate malicious webshell activity or exploitation attempts and should be removed before implementing mitigations, as they may remain active and provide the attacker with access.

IOCs