SAP NetWeaver Under Siege: Critical Vulnerabilities Exploited for RCE and Data Theft

SAP has released patches for 21 new security flaws, including three critical vulnerabilities in its widely used NetWeaver platform. The most severe of these, CVE-2025-31324 and CVE-2025-42999, have been actively exploited in the wild since at least January 2025, leading to full system compromises across multiple critical infrastructure sectors.¹ This coordinated attack campaign demonstrates sophisticated tradecraft, combining an unauthenticated file upload flaw with an insecure deserialization vulnerability to achieve remote code execution with high privileges.

The exploitation activity was first detected by Darktrace on April 18, 2025, six days before SAP’s official disclosure, indicating that threat actors had already weaponized these vulnerabilities.² Multiple advanced persistent threat groups, including China-linked actors and ransomware operators, have been observed leveraging these flaws to gain initial access, deploy webshells, and move laterally through victim networks. The public release of a weaponized exploit on August 15, 2025, has further lowered the barrier to entry for less sophisticated attackers.³

Technical Analysis of the Vulnerabilities

CVE-2025-31324 is a critical unrestricted file upload vulnerability (CVSS 10.0) affecting the SAP NetWeaver Visual Composer’s `/developmentserver/metadatauploader` endpoint. This flaw allows unauthenticated attackers to upload arbitrary files, most commonly JSP webshells, to vulnerable systems.¹ The Visual Composer component, while not installed by default, is present in an estimated 50-70% of SAP NetWeaver Application Server Java implementations, making this a widespread attack surface.

CVE-2025-42999 (CVSS 9.1) is an insecure deserialization vulnerability that, when chained with CVE-2025-31324, enables attackers to execute uploaded malicious payloads directly in memory with high privileges (`adm`).⁴ This technique significantly reduces forensic artifacts, allowing attackers to operate with minimal disk footprint. The exploit code demonstrates deep knowledge of SAP internals, utilizing custom SAP classes and adjusting payloads based on the detected NetWeaver version.³

Exploitation Timeline and Threat Actor Activity

The exploitation timeline reveals a well-coordinated campaign that began months before public disclosure. Initial activity was detected in January 2025, with Darktrace identifying anomalous connections to Out-of-Band Application Security Testing (OAST) domains on April 18, 2025.² ReliaQuest published their investigation on April 22, followed by SAP’s official patch (Security Note 3594142) for CVE-2025-31324 on April 24, 2025.¹

Multiple threat actor groups quickly adopted these vulnerabilities. China-linked APTs tracked as Chaya_004, UNC5221, UNC5174, and CL-STA-0048 were among the earliest adopters, deploying a Golang-based reverse shell called “SuperShell” and using infrastructure hosting tools like NPS, Cobalt Strike, and SoftEther VPN.⁵ The Russian ransomware group BianLian and Microsoft-tracked Storm-2460 (operators of RansomEXX) were also observed exploiting these vulnerabilities for financial gain.

Detection and Forensic Evidence

Organizations can detect potential exploitation by reviewing web server access logs for `POST /developmentserver/metadatauploader HTTP/1.1″ 200` responses and `multipart/form-data` requests to this endpoint from unauthenticated sources.⁶ Suspicious file creations in directories such as `/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/`, `/work/`, and `/work/sync/` should be investigated, particularly for JSP, Java, or class files with recent timestamps.

Darktrace’s pre-disclosure detection on April 18, 2025, demonstrated the value of behavioral analysis in identifying novel attack patterns. Their system flagged anomalous activity and connections to OAST domains that were later confirmed as exploitation attempts.² Organizations should monitor for unexpected outbound connections to known malicious infrastructure and implement strict egress filtering.

Mitigation Strategies and Patching Requirements

The primary mitigation is immediate application of SAP’s security patches. Organizations must apply Security Note 3594142 (CVE-2025-31324) and 3604119 (CVE-2025-42999), along with related deserialization flaws patched in July 2025: 3578900 (CVE-2025-30012), 3620498 (CVE-2025-42980), 3610892 (CVE-2025-42966), 3621771 (CVE-2025-42963), and 3621236 (CVE-2025-42964).³

If immediate patching is not feasible, several workarounds can reduce attack surface: disable the deprecated Visual Composer component, remove the application alias `developmentserver`, or completely remove the vulnerable application (SAP’s recommended workaround).¹ Network-level controls should restrict access to the development server URL, and organizations should implement strict network segmentation to limit external access to SAP systems.

Indicators of Compromise and Hunting Guidance

Multiple security firms have published IoCs to assist with threat hunting. Webshell hashes include SHA-256 values such as `1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087` (helper.jsp), `794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf` (cache.jsp), and `565d7ed059e2d60fa69cc51a6548aa9f8192a71f4cd79112823f3f628cfede85` (rrx.jsp).¹

Suspicious IP addresses associated with these attacks include `184.174.96.74` (linked to BianLian proxy services), `184.174.96.70` (BianLian C2 server), and `23.95.123.5` (source of JuicyPotato download).² Malicious domains include `dns.telemetrymasterhostname.com`, `aaaaabbbbbbb.eastus.cloudapp.azure.com` (PipeMagic C2), and various OAST domains (e.g., `*.oast[.]online`, `*.oast[.]pro`).

Open-source scanners from Onapsis and Mandiant are available to assist organizations in assessing their vulnerability status and checking for known IoCs.³ These tools can help identify both vulnerable systems and evidence of prior compromise, enabling faster incident response and remediation.

The exploitation of CVE-2025-31324 and CVE-2025-42999 represents a significant threat to organizations running SAP NetWeaver systems. The combination of unauthenticated access, reliable exploitation, and high-privilege execution makes these vulnerabilities particularly dangerous. The widespread presence of the affected component across critical infrastructure sectors amplifies the potential impact, with hundreds of systems already compromised across energy, manufacturing, healthcare, and financial services organizations.

Organizations must prioritize patching these vulnerabilities and conducting thorough investigations of their SAP environments. The availability of public exploits increases the likelihood of widespread attacks, and the sophisticated tradecraft observed in earlier campaigns suggests that even well-defended organizations may be at risk. Continuous monitoring, network segmentation, and application of defense-in-depth principles are essential to mitigating this threat.