A Looming Threat to Critical Business Systems. On April 22, 2025, cybersecurity firm ReliaQuest revealed an active exploitation campaign targeting SAP NetWeaver, the backbone of enterprise resource planning (ERP) systems used by governments and Fortune 500 companies. The vulnerability, later assigned CVE-2025-31324 (CVSS 10.0), allows attackers to upload malicious files and execute arbitrary code potentially compromising sensitive financial, logistics, and personnel data.
This article breaks down:
- How the exploit works (with technical analysis of the JSP webshell attacks).
- ReliaQuest’s proactive detection methods that identified the threat.
- 10 critical mitigation steps for SAP customers.
- Why this flaw makes SAP systems prime targets for nation-state actors and ransomware groups.
The Vulnerability: From Metadata Uploader to Malicious Execution
1. Exploit Overview
- CVE ID: CVE-2025-31324
- Type: Unrestricted file upload → Remote Code Execution (RCE)
- Affected Component: SAP NetWeaver’s
/developmentserver/metadatauploaderendpoint. - Attack Vector: Attackers upload JSP webshells (e.g.,
helper.jsp,cache.jsp) to:
j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/
These files enable full system control via HTTP GET requests.
2. Attack Workflow
- Initial Access: Exploit the metadatauploader endpoint to upload a webshell.
- Persistence: Use the webshell to execute commands (e.g., deploy Brute Ratel C2).
- Evasion: Leverage Heaven’s Gate technique to bypass EDR in 64-bit systems.
- Lateral Movement: Steal credentials or exploit other SAP services.
Figure 1: Malicious POST request uploading a webshell (source: ReliaQuest)
![Exploit chain diagram showing webshell upload and command execution]
Why SAP NetWeaver? High-Value Targets
- Government Reliance: 90% of G2000 companies and 40+ national governments use SAP.
- Patch Lag: 60% of SAP systems run outdated versions (ERP Scan, 2024).
- Critical Data: SAP systems often house financial records, HR data, and supply chain info.
ReliaQuest’s Proactive Defense
Before SAP’s patch (April 24, 2025), ReliaQuest:
- Deployed Detections: Flagged JSP files written to
servlet_jsp/irj/root/. - Threat Hunts: Identified Brute Ratel and Heaven’s Gate in customer environments.
- Shared IOCs: Published hashes of malicious JSP files (see Indicators of Compromise below).
10 Critical Mitigations for SAP Customers
1. Immediate Patching
- Apply SAP’s Security Note #XXXXXX (requires customer login).
2. Disable Visual Composer
- This deprecated feature is a common attack vector:
“`abap
TRANSLATION_TOOL_DISABLE = TRUE
3. Restrict MetadataUploader Access
– Block `/developmentserver/metadatauploader` at the firewall/WAF.
4. Hunt for Webshells
– Scan for files in:
j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/
“`
- Use ReliaQuest’s IOCs (below).
5. Monitor for Brute Ratel
- Detect MSBuild compiling C# code (e.g.,
msbuild.exe /t:Clean /p:Configuration=Debug).
6. Enable SAP Audit Logs
- Forward logs to a SIEM (e.g., Splunk, Microsoft Sentinel).
7. Segment SAP Networks
- Isolate SAP systems from OT networks and internet-facing servers.
8. Enforce Least Privilege
- Restrict SAP_* users to minimal permissions.
9. Block Heaven’s Gate Syscalls
- Use EDR rules to flag
NtSetContextThreadabuse.
10. Train SAP Basis Teams
- Educate on webshell detection and emergency patching.
Indicators of Compromise (IOCs)
| File | SHA-256 Hash |
|---|---|
helper.jsp | 1f72bd2643995fab4ecf7150b6367fa1… |
cache.jsp | 794cb0a92f51e1387a6b316b8b5ff83d… |
Conclusion: SAP Security Can’t Wait
CVE-2025-31324 is a wake-up call for delayed SAP patching cycles. With ReliaQuest confirming active exploitation, organizations must:
- Patch immediately—especially governments and critical infrastructure.
- Assume compromise: Hunt for webshells and C2 beacons.
- Adopt Zero Trust: Segment SAP systems and enforce strict access controls.
🔗 Resources:
