Ethical Hacking News
A critical flaw in SAP NetWeaver has been discovered, allowing hackers to upload malicious JSP web shells with the intention of facilitating unauthorized file uploads and code execution. This vulnerability is rated with a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS), making it one of the most critical vulnerabilities discovered in recent times.
SAP NetWeaver has been compromised by a critical flaw (CVE-2025-31324) that allows hackers to upload malicious JSP web shells. The vulnerability is rated with a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS). The exploitation of this vulnerability is likely tied to a previously disclosed vulnerability or an unreported remote file inclusion (RFI) issue. Unknown threat actors can upload malicious JSP-based web shells in the "servlet_jsp/irj/root/\" path for persistent remote access and deliver additional payloads. Threat actors have used post-exploitation frameworks and techniques to bypass endpoint protections and gain unauthorized access. The vulnerability highlights the importance of keeping up with security patches and updates for enterprise software solutions.
SAP NetWeaver, a widely used enterprise software solution for developing web applications, has been compromised by a critical flaw that could allow hackers to upload malicious JSP web shells with the intention of facilitating unauthorized file uploads and code execution. This vulnerability, identified as CVE-2025-31324, is rated with a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS), making it one of the most critical vulnerabilities discovered in recent times.
According to ReliaQuest, a cybersecurity firm that specializes in threat intelligence and incident response, the exploitation of this vulnerability is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue. The possibility of a zero-day exploit stems from the fact that several systems impacted by this vulnerability were already running the latest patches.
The flaw is assessed to be rooted in the "/developmentserver/metadatauploader" endpoint in the NetWeaver environment, enabling unknown threat actors to upload malicious JSP-based web shells in the "servlet_jsp/irj/root/" path for persistent remote access and deliver additional payloads. These lightweight JSP web shells are configured to upload unauthorized files, enable entrenched control over the infected hosts, execute remote code, and siphon sensitive data.
In a few select incidents, it has been observed that threat actors have used the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate, to bypass endpoint protections. At least in one case, the attackers took several days to progress from successful initial access to follow-on exploitation, raising the possibility that the attacker may be an initial access broker (IAB) that's obtaining and selling access to other threat groups on underground forums.
ReliaQuest's investigation revealed a troubling pattern suggesting that adversaries are leveraging a known exploit and pairing it with evolving techniques to maximize their impact. SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers. As SAP solutions are often deployed on-premises, security measures for these systems are left to users; updates and patches that are not applied promptly are likely to expose these systems to greater risk of compromise.
This vulnerability is not an isolated incident. Coincidentally, SAP has also released an update to address a maximum severity security flaw (CVE-2025-31324) that an attacker could exploit to upload arbitrary files. It's likely that CVE-2025-31324 refers to the same unreported security defect given that the former also affects the same metadata uploader component.
The disclosure comes a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of another high-severity NetWeaver flaw (CVE-2017-12637) that could allow an attacker to obtain sensitive SAP configuration files. This recent vulnerability is just one example of how attackers are taking advantage of unpatched vulnerabilities in widely used software solutions.
The incident serves as a reminder of the importance of keeping up with security patches and updates for enterprise software solutions. Hackers are constantly evolving their tactics, making it essential for organizations to stay vigilant and proactive when it comes to cybersecurity. By failing to apply timely updates and patches, organizations can leave themselves vulnerable to exploitation by threat actors.
In conclusion, this vulnerability highlights the need for organizations to prioritize their cybersecurity posture. SAP NetWeaver is a critical component of many enterprise systems, and its exposure to this specific vulnerability underscores the importance of staying informed about emerging threats and taking proactive measures to mitigate risks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-SAP-NetWeaver-Exposed-The-Risks-of-Unreported-Vulnerabilities-and-Zero-Day-Exploits-ehn.shtml
Published: Fri Apr 25 07:03:24 2025 by llama3.2 3B Q4_K_M
