Threat actors may be uploading JSP Web shells with the aim of exploiting new vulnerabilities in SAP NetWeaver to facilitate uploading malicious files and code execution.
“Exploitation is likely linked to either a previously disclosed vulnerability, such as CVE-2017-9844, or an unreported remote file inclusion (RFI) issue,” ReliaQuest said in a report published this week.
Cybersecurity said there is a possibility of zero-day stems from the fact that some of the affected systems are already running the latest patches.
The flaw is evaluated as rooted in the “/DevelopmentServer/Metadatauploader” endpoint in the NetWeaver environment, allowing unknown threat actors to upload malicious JSP-based web shells to “Servlet_jsp/IRJ/root/”, providing a path for permanent remote access and an additional payload.
Put another way, a lightweight JSP web shell is configured to upload malformed files, entrench infected hosts, execute remote code, and run Siphon-sensitive data.
Selected incidents have been observed using a framework after Brute Ratel C4 extraction and a well-known technique called Heaven’s Gate, which bypasses endpoint protection.
In at least one case, threat actors took several days from successful initial access to subsequent exploitation, increasing the likelihood that attackers are early access brokers (IABs) gaining and selling access to other threat groups at underground forums.
“Our research reveals troubling patterns and suggests that enemies are leveraging known exploits and combining them with a combination of techniques that evolve to maximize their impact,” says ReaQuest.
“SAP solutions are often used by government agencies and businesses and are highly valuable targets for attackers. As SAP solutions are often deployed on-premises, the security measures for these systems are left to the user. Updates and patches that are not applied quickly can put these systems at greater risk.”
Coincidentally, SAP has released an update to address the biggest severity security flaw (CVE-2025-31324, CVSS score: 10.0).
“SAP NetWeaver Visual Composer Metadata uploaders are not protected with proper authorization, allowing unguaranteed agents to upload viable binaries that can cause serious harm to the host system.”
CVE-2025-31324 could refer to the same unreported security flaw, given that the former also affects the metadata uploader component.
This disclosure comes just over a month after the US Cybersecurity and Infrastructure Security Agency (CISA) warned of the aggressive exploitation of another highly empirical NetWeber flaw (CVE-2017-12637) that allows attackers to retrieve sensitive SAP configuration files.
update
ReliaQuest has confirmed with Hacker News that the malicious activity mentioned above is actually leveraging a new security vulnerability that is being tracked as CVE-2025-31324.
“The vulnerability identified during an investigation published on April 22, 2025 was initially suspected to be a remote file inclusion (RFI) issue,” the company said. “However, SAP later identified it as an unlimited file upload vulnerability, allowing attackers to upload malicious files directly to the system without permission.”
(The story was updated after publication to confirm the exploitation of the new zero-day flaws.)
Source link
