Full Report
SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers. [...]
Analysis Summary
# Vulnerability: SAP NetWeaver Visual Composer Unauthenticated File Upload Leading to RCE
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: Data not explicitly provided, but indicated as critical due to RCE and active exploitation. Assumed High/Critical.
- CWE: Likely related to Improper Input Validation or Unrestricted Upload (CWE-434/CWE-430).
## Affected Systems
- Products: SAP NetWeaver (specifically involving the Visual Composer Framework).
- Versions: Affected versions include those running Visual Composer Framework 7.50, even if the regular April 2025 SAP updates were applied.
- Configurations: Systems running SAP NetWeaver with Visual Composer enabled and exposed.
## Vulnerability Description
The vulnerability is a critical flaw in SAP NetWeaver's Visual Composer Framework. It allows unauthenticated attackers to abuse built-in functionality to upload arbitrary files to the SAP NetWeaver instance via the `/developmentserver/metadatauploader` endpoint. Successful exploitation leads to full Remote Code Execution (RCE) and total system compromise. The issue is exploited via a zero-day vector on systems that were otherwise fully patched against prior security updates. Post-exploitation details indicate the use of 'Brute Ratel', 'Heaven's Gate' bypassing techniques, and injection of MSBuild-compiled code into `dllhost.exe`.
## Exploitation
- Status: Exploited in the wild. Active exploitation confirmed by multiple security firms.
- Complexity: Low (Unauthenticated attackers can abuse built-in functionality).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Full system compromise allows access to all data).
- Integrity: High (Full system compromise allows modification or deletion of data/systems).
- Availability: High (Full system compromise, potentially leading to denial of service or system destruction).
## Remediation
### Patches
- Apply the **emergency security update** released by SAP specifically addressing CVE-2025-31324. (Note: This update was released *after* the standard April 2025 patch cycle).
- This emergency update also includes fixes for CVE-2025-27429 (Code Injection in SAP S/4HANA) and CVE-2025-31330 (Code Injection in SAP Landscape Transformation).
### Workarounds
1. Restrict access to the `/developmentserver/metadatauploader` endpoint.
2. If the Visual Composer component is not in use, consider turning it off entirely.
3. Forward relevant system logs to a SIEM for analysis.
4. Perform a deep environment scan to locate and delete suspect files (e.g., web shells dropped by attackers) *before* applying final patches/mitigations.
## Detection
- Indicators of Compromise (IoCs): Presence of web shell backdoors dropped onto the system (often in the servlet path). Look for unauthorized file uploads targeting the specified endpoint.
- Detection methods and tools: Scan for unauthorized files in the servlet path. Monitor network traffic and endpoint telemetry for execution of red team tools like Brute Ratel or unusual activity within processes like `dllhost.exe` following file upload attempts.
## References
- Vendor Advisories: SAP Security Updates (Refer to the emergency update released after April 8, 2025).
- Relevant links:
- bleepingcomputer com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
- support sap com/en/my-support/knowledge-base/security-notes-news/april-2025 html