Ethical Hacking News
SAP has issued emergency updates to address a critical zero-day vulnerability that has been actively exploited by sophisticated attackers. The vulnerability, tracked under CVE-2025-31324, is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer's Metadata Uploader component. Organizations are advised to apply the latest patches as soon as possible and consider implementing immediate mitigations to prevent potential attacks.
SAP has addressed a critical zero-day vulnerability (CVE-2025-31324) that has been actively exploited by attackers. The vulnerability allows unauthenticated file uploads, enabling attackers to execute remote code and gain full system access. Even with the latest patch applied, some systems fell prey to the zero-day exploit. SAP has released out-of-band emergency updates, but customers who applied earlier patches may still be vulnerable. Immediate mitigations are advised, including restricting access to the '/developmentserver/metadatauploader' endpoint and conducting a deep environment scan. Two additional critical vulnerabilities (CVE-2025-27429 and CVE-2025-31330) have been addressed by SAP.
SAP has taken swift action to address a critical zero-day vulnerability that has been actively exploited by sophisticated attackers, compromising multiple customers' systems. The vulnerability, tracked under CVE-2025-31324 and rated at 10.0 on the Common Vulnerability Scoring System (CVSS) scale, is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer's Metadata Uploader component.
According to recent reports, attackers were able to exploit this vulnerability to hijack servers by uploading malicious executable files without requiring authentication. This allowed them to execute remote code, gain full system access, and deploy additional malware payloads. The attacks targeted systems that had the latest patch applied, highlighting the importance of timely security updates.
The vulnerability was first reported by ReliaQuest earlier this week, who revealed that multiple customers were compromised through unauthorized file uploads on SAP NetWeaver Visual Composer's '/developmentserver/metadatauploader' endpoint. Attackers uploaded JSP webshells to publicly accessible directories, which enabled them to execute malicious code via simple GET requests.
The attackers further escalated their attacks by deploying the 'Brute Ratel' red team tool and utilizing the 'Heaven's Gate' security bypassing technique to inject MSBuild-compiled code into dllhost.exe for stealth. Despite applying patches, some compromised systems were fully patched but still fell prey to the zero-day exploit.
Security firm watchTowr confirmed that they are also seeing active exploitation linked to CVE-2025-31324. CEO Benjamin Harris emphasized that "unauthenticated attackers can abuse built-in functionality to upload arbitrary files to an SAP NetWeaver instance, which means full Remote Code Execution and total system compromise."
The rapid spread of this vulnerability underscores the need for organizations to prioritize their security posture. SAP has released out-of-band emergency updates to address the issue. However, since these updates were made available after the regular 'April 2025' update, customers who applied that patch earlier in April may still be vulnerable.
Those unable to apply the latest patches are advised to implement immediate mitigations such as restricting access to the '/developmentserver/metadatauploader' endpoint, turning off Visual Composer if it is not in use, forwarding logs to SIEM systems for monitoring, and conducting a deep environment scan to identify and delete any suspect files.
Furthermore, SAP has also addressed two additional critical vulnerabilities: CVE-2025-27429 (code injection in SAP S/4HANA) and CVE-2025-31330 (code injection in SAP Landscape Transformation).
As organizations continue to navigate the ever-evolving threat landscape, it is crucial for businesses to prioritize proactive security measures. The recent incident highlights the importance of staying vigilant and applying patches as soon as they become available.
In light of this incident, we urge all customers who utilize SAP NetWeaver Visual Composer to review their security posture immediately and consider taking additional steps to strengthen their defenses.
Related Information:
https://www.ethicalhackingnews.com/articles/SAP-Catches-Breath-Zero-Day-Vulnerability-Exploited-by-Sophisticated-Attackers-ehn.shtml
Published: Fri Apr 25 08:50:38 2025 by llama3.2 3B Q4_K_M
