<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sap-Netweaver - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/sap-netweaver/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/sap-netweaver/feed.xml" rel="self" type="application/rss+xml"/><item><title>SAP NetWeaver Visual Composer CVE-2025-31324 Exploitation Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-sap-netweaver-visual-composer-exploitation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-sap-netweaver-visual-composer-exploitation/</guid><description>Exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, have been detected using HTTP HEAD and POST requests to sensitive endpoints.</description><content:encoded><![CDATA[<p>Active exploitation of CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, has been observed. This flaw allows remote attackers to send specially crafted POST requests to the <code>/developmentserver/metadatauploader</code> endpoint, enabling arbitrary file uploads, often leading to webshell deployment and subsequent system compromise. The attacks leverage HTTP HEAD and POST requests, targeting specific Visual Composer endpoints. Successful exploitation grants attackers privileged access, enabling malware deployment and impacting business-critical SAP resources. Public reports indicate that this vulnerability is being actively exploited in the wild, necessitating immediate patching and investigation of suspicious activity. This activity has been observed since early 2025.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable SAP NetWeaver instance running Visual Composer.</li>
<li>The attacker sends a reconnaissance HTTP HEAD request to <code>/ctc/CTCWebService/CTCWebServiceBean</code>, <code>/CTCWebService/CTCWebServiceBean</code>, or <code>/VisualComposer/services/DesignTimeService</code> to confirm the presence of the vulnerable component.</li>
<li>Upon successful reconnaissance (HTTP 200 OK), the attacker crafts a malicious HTTP POST request to the <code>/developmentserver/metadatauploader</code> endpoint.</li>
<li>The POST request contains a specially crafted payload designed to upload an arbitrary file, typically a webshell (e.g., a JSP or ASPX file).</li>
<li>The SAP NetWeaver server processes the malicious POST request without proper authentication or input validation.</li>
<li>The webshell is successfully uploaded to the server's file system, often in a publicly accessible directory.</li>
<li>The attacker accesses the uploaded webshell via a web browser, gaining remote code execution capabilities on the SAP NetWeaver server.</li>
<li>The attacker leverages the compromised server to escalate privileges, move laterally within the network, and potentially exfiltrate sensitive data or deploy ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-31324 allows attackers to gain complete control over vulnerable SAP NetWeaver systems. This can lead to the compromise of sensitive business data, disruption of critical business processes, and significant financial losses. Public reports indicate active exploitation across various sectors, potentially impacting hundreds of organizations running vulnerable SAP NetWeaver instances. Exploitation enables attackers to deploy malware, exfiltrate data, and disrupt operations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>SAP NetWeaver Visual Composer Exploitation Attempt</code> to your SIEM to detect malicious HTTP requests to vulnerable endpoints.</li>
<li>Apply the latest SAP security patches to remediate CVE-2025-31324 on all affected SAP NetWeaver systems.</li>
<li>Investigate any HTTP HEAD or POST requests with a 200 OK status to the Visual Composer endpoints listed in the Sigma rule to identify potential exploitation attempts.</li>
<li>Monitor web server logs and network traffic for suspicious file uploads and webshell activity following successful endpoint access.</li>
<li>Review access controls and network segmentation to limit the potential impact of a successful compromise.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">threat</category><category>sap-netweaver</category><category>file-upload</category><category>webshell</category><category>cve-2025-31324</category></item></channel></rss>