{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sap-netweaver/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NetWeaver","Visual Composer"],"_cs_severities":["critical"],"_cs_tags":["sap-netweaver","file-upload","webshell","cve-2025-31324"],"_cs_type":"threat","_cs_vendors":["SAP"],"content_html":"\u003cp\u003eActive exploitation of CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, has been observed. This flaw allows remote attackers to send specially crafted POST requests to the \u003ccode\u003e/developmentserver/metadatauploader\u003c/code\u003e endpoint, enabling arbitrary file uploads, often leading to webshell deployment and subsequent system compromise. The attacks leverage HTTP HEAD and POST requests, targeting specific Visual Composer endpoints. Successful exploitation grants attackers privileged access, enabling malware deployment and impacting business-critical SAP resources. Public reports indicate that this vulnerability is being actively exploited in the wild, necessitating immediate patching and investigation of suspicious activity. This activity has been observed since early 2025.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable SAP NetWeaver instance running Visual Composer.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a reconnaissance HTTP HEAD request to \u003ccode\u003e/ctc/CTCWebService/CTCWebServiceBean\u003c/code\u003e, \u003ccode\u003e/CTCWebService/CTCWebServiceBean\u003c/code\u003e, or \u003ccode\u003e/VisualComposer/services/DesignTimeService\u003c/code\u003e to confirm the presence of the vulnerable component.\u003c/li\u003e\n\u003cli\u003eUpon successful reconnaissance (HTTP 200 OK), the attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/developmentserver/metadatauploader\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request contains a specially crafted payload designed to upload an arbitrary file, typically a webshell (e.g., a JSP or ASPX file).\u003c/li\u003e\n\u003cli\u003eThe SAP NetWeaver server processes the malicious POST request without proper authentication or input validation.\u003c/li\u003e\n\u003cli\u003eThe webshell is successfully uploaded to the server's file system, often in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded webshell via a web browser, gaining remote code execution capabilities on the SAP NetWeaver server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised server to escalate privileges, move laterally within the network, and potentially exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-31324 allows attackers to gain complete control over vulnerable SAP NetWeaver systems. This can lead to the compromise of sensitive business data, disruption of critical business processes, and significant financial losses. Public reports indicate active exploitation across various sectors, potentially impacting hundreds of organizations running vulnerable SAP NetWeaver instances. Exploitation enables attackers to deploy malware, exfiltrate data, and disrupt operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSAP NetWeaver Visual Composer Exploitation Attempt\u003c/code\u003e to your SIEM to detect malicious HTTP requests to vulnerable endpoints.\u003c/li\u003e\n\u003cli\u003eApply the latest SAP security patches to remediate CVE-2025-31324 on all affected SAP NetWeaver systems.\u003c/li\u003e\n\u003cli\u003eInvestigate any HTTP HEAD or POST requests with a 200 OK status to the Visual Composer endpoints listed in the Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs and network traffic for suspicious file uploads and webshell activity following successful endpoint access.\u003c/li\u003e\n\u003cli\u003eReview access controls and network segmentation to limit the potential impact of a successful compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-sap-netweaver-visual-composer-exploitation/","summary":"Exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, have been detected using HTTP HEAD and POST requests to sensitive endpoints.","title":"SAP NetWeaver Visual Composer CVE-2025-31324 Exploitation Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-sap-netweaver-visual-composer-exploitation/"}],"language":"en","title":"CraftedSignal Threat Feed - Sap-Netweaver","version":"https://jsonfeed.org/version/1.1"}