- May 20, 2025
Critical Vulnerabilities in SAP NetWeaver Visual Composer (CVE-2025-31324, CVE-2025-42999)
On April 24, 2025, software company SAP published an advisory regarding a critical vulnerability embedded within a component of their NetWeaver product (CVE-2025-31324). On May 15, 2025, CISA added a related, critical SAP NetWeaver deserialization vulnerability (CVE-2025-42999) to its KEV list.
Executive Summary
On April 24, 2025, software company SAP published an advisory regarding a critical vulnerability embedded within a component of their NetWeaver product (CVE-2025-31324). The vulnerability is due to a flaw in the Visual Composer Metadata Uploader endpoint and could allow an unauthenticated attacker the ability to upload arbitrary files to a target server. This includes malicious web shells, which would allow threat actors to achieve remote code execution (RCE) on affected systems.
Multiple cyber security firms reported observing successful exploitation in the wild by several actors, including ransomware actors. Many of these attempts occurred prior to the advisory, and the vulnerability was added to CISA’s Known Exploited Vulnerability (KEV) list as of April 29, 2025. On May 15, 2025, CISA added a related, critical SAP NetWeaver deserialization vulnerability (CVE-2025-42999) to its KEV list, which was observed in chained Visual Composer attacks.
SAP has released out-of-band patch notes that fix these flaws. Beazley Security strongly recommends affected organizations apply updates to NetWeaver installations with Visual Composer Framework enabled.
Affected Systems or Products
Software | Affected Versions | Fixed Versions |
SAP NetWeaver (Visual Composer development server) | VCFRAMEWORK 7.50 | VCFRAMEWORK >7.50 |
Mitigations / Workarounds
SAP has released out-of-band patches in SAP Security Notes 3594142 and 3604119. SAP recommends applying patches from both notes on any affected instances. Please see the “Patches” section below for more information. If the patch cannot be applied:
Some systems may be exposed unintentionally. If the Metadata Uploader service is not required, it is recommended that the vulnerable VCFramework package and endpoint be removed to reduce attack surface.
Restrict access. If possible, apply network-layer controls to block any untrusted access to the endpoint /developmentserver/metauploader.
Any affected organizations are recommended to monitor for exploitation attempts and post-compromise activity. For more information, please see the IoCs section below.
Patches
SAP has issued the following critical security updates to address the Metadata Uploader and deserialization flaw vulnerabilities. Access to SAP security patch notes requires access to their Support Portal.
SAP NOTE 3594142 - Fix for CVE-2025-31324 enforces authorization on Metadata Uploader endpoint
SAP NOTE 3604119 - Fix for CVE-2025-42999 addresses Java deserialization flaw
Specific notes can be found on SAP’s Security Patch rollup for April and May.
Indicators of Compromise
As previously stated, multiple attack campaigns have been observed targeting these vulnerabilities. Several actors have been attributed to campaigns, including ransomware actors Qilin, BianLian, and RansomEXX. Several indicators of attack and indicators of compromise have been shared publicly.
Vulnerability and exploitation checks for CVE-2025-31324 are HTTP POST, HEAD, and GET requests to the following URI:
POST /developmentserver/metadatauploader HTTP/1.1
According to related information shared from Onapsis, OP Innovative, and Reliaquest, the following IoCs and webshells have been observed on exploited systems:
helper.jsp – Observed in multiple reports
cache.jsp – Observed in CVE-related reports
forwardsap.jsp
coresap.jsp
webhelp.jsp
.webhelper.jsp – Hidden variant
usage.jsp – Possibly a renamed “helper.jsp”
usage1.jsp – Variant of usage.jsp
404_error.jsp – Potentially a disguised webshellh.jsp – Hidden file variant
.h.jsp - hidden variant
Webshells:
SHA256 | File Name |
0a866f60537e9decc2d32cbdc7e4dcef9c5929b84f1b26b776d9c2a307c7e36e | rrr141.jsp webshell |
4d4f6ea7ebdc0fbf237a7e385885d51434fd2e115d6ea62baa218073729f5249 | rrxx1.jsp webshell |
1579b6776eeaf79cbd0852fa9cdb3656e16688ca65e7806c9bc018eefebe0ae8 | rrxx.jsp webshell |
565d7ed059e2d60fa69cc51a6548aa9f8192a71f4cd79112823f3f628cfede85 | rrx.jsp webshell |
ec30c87f65f16e3b591e7ce74229a700c59766e242be3df46979fea54c330873 | rrrx141.jsp webshell |
31d7d0dab2fb367c24be0b1a08a7b751d2967f3999307f217d9230ea485a3743 | rrr232.jsp webshell |
a5818e3a58198da5b8ea4cc001a7cecf06aa8a7684489743976996b8cddbd200 | rrr142.jsp webshell |
4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d | coresap.jsp |
b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee | Random 8-character names ([a-z]{8}).jsp |
Network Connections:
dns[.]telemetrymasterhostname[.]com
184[.]174[.]96[.]74 (Qilin)
184[.]174[.]96[.]70 (Qilin)
180[.]131[.]145[.]73 (Qilin)
http[:]//184[.]174[.]96[.]70/rs64c.exe
The root of the following OS directories can also be investigated for the presence of unexpected ‘jsp,’ ‘java,’ or ‘class’ files:
C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
Technical Details
CVE-2025-31324 was issued due to an unauthenticated file upload vulnerability in SAP NetWeaver’s Visual Composer, specifically within the MetaUploader framework. If exposed, the vulnerable endpoint is accessible at /developmentserver/metauploader.
Since there is no authentication check, any remote attacker can upload arbitrary files, such as a prepared webshell directly into web accessible directories on an affected SAP server. The files are then executed with privilege levels of the SAP application, theoretically granting attackers full RCE without requiring credentials.
Once uploaded, attackers may interact with the prepared webshell to perform further recon and post-exploitation activity by accessing it from an exposed endpoint or directory.
CVE-2025-42999 was published May 12th, shortly after CVE-2025-31324 and is a Java deserialization vulnerability within the NetWeaver Visual Composer. The component has a flaw that allows for unsafe deserialization of Java objects provided as serialized binary format. This vulnerability can be chained with CVE-2025-31324 by performing an unauthenticated upload of a serialized payload, which SAP NetWeaver then deserializes and executes malicious code.
When chained together, both vulnerabilities could allow RCE without the use and presence of a Webshell, as reportedly observed by Onapsis.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations to remediate any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.