Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.
“The exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue,” ReliaQuest said in a report published this week.
The cybersecurity said the possibility of a zero-day stems from the fact that several of the impacted systems were already running the latest patches.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The flaw is assessed to be rooted in the “/developmentserver/metadatauploader” endpoint in the NetWeaver environment, enabling unknown threat actors to upload malicious JSP-based web shells in the “servlet_jsp/irj/root/” path for persistent remote access and deliver additional payloads.
Put differently, the lightweight JSP web shell is configured to upload unauthorized files, enable entrenched control over the infected hosts, execute remote code, and siphon sensitive data.
Select incidents have been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven’s Gate to bypass endpoint protections.
At least in one case, the threat actors took several days to progress from successful initial access to follow-on exploitation, raising the possibility that the attacker may be an initial access broker (IAB) that’s obtaining and selling access to other threat groups on underground forums.
“Our investigation revealed a troubling pattern, suggesting that adversaries are leveraging a known exploit and pairing it with a mix of evolving techniques to maximize their impact,” ReliaQuest said.
“SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers. As SAP solutions are often deployed on-premises, security measures for these systems are left to users; updates and patches that are not applied promptly are likely to expose these systems to greater risk of compromise.”
Coincidentally, SAP has also released an update to address a maximum severity security flaw (CVE-2025-31324, CVSS score: 10.0) that an attacker could exploit to upload arbitrary files.
“SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing an unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system,” an advisory for the vulnerability reads.
It’s likely that CVE-2025-31324 refers to the same unreported security defect given that the former also affects the same metadata uploader component. The Hacker News has reached out to ReliaQuest for further comment, and we will update the story if we hear back.
The disclosure comes a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of another high-severity NetWeaver flaw (CVE-2017-12637) that could allow an attacker to obtain sensitive SAP configuration files.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Why NHIs Are Security’s Most Dangerous Blind Spot