A significant security vulnerability has been identified in SAP NetWeaver, a widely used enterprise resource planning (ERP) platform. This flaw is being actively exploited by threat actors to upload JavaServer Pages (JSP) web shells, enabling unauthorized file uploads and remote code execution.
Cybersecurity firm ReliaQuest has reported that the exploitation may be linked to a previously disclosed vulnerability, such as CVE-2017-9844, or potentially an unreported remote file inclusion (RFI) issue. Notably, several affected systems were already running the latest patches, suggesting the possibility of a zero-day vulnerability.
The root cause of this flaw appears to be in the /developmentserver/metadatauploader endpoint within the NetWeaver environment. This vulnerability allows attackers to upload malicious JSP-based web shells to the servlet_jsp/irj/root/ directory, granting persistent remote access and the capability to deploy additional payloads.
These lightweight JSP web shells are designed to facilitate unauthorized file uploads, maintain control over compromised hosts, execute remote code, and exfiltrate sensitive data. In certain instances, attackers have utilized the Brute Ratel C4 post-exploitation framework and employed the Heaven’s Gate technique to evade endpoint security measures.
In at least one case, there was a delay of several days between the initial access and subsequent exploitation, indicating that the attackers may be initial access brokers (IABs). These IABs typically gain access to systems and then sell this access to other threat groups on underground forums.
ReliaQuest’s investigation has uncovered a concerning trend: adversaries are combining known exploits with evolving techniques to maximize their impact. Given that SAP solutions are often utilized by government agencies and large enterprises, they represent high-value targets for attackers. Since these solutions are frequently deployed on-premises, the responsibility for security measures falls on the users. Failure to promptly apply updates and patches increases the risk of system compromise.
Coinciding with these findings, SAP has released an update to address a critical security flaw (CVE-2025-31324) with a CVSS score of 10.0. This vulnerability allows an attacker to upload arbitrary files. According to the advisory, SAP NetWeaver Visual Composer Metadata Uploader is not protected with proper authorization, allowing an unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system.
It is likely that CVE-2025-31324 pertains to the same unreported security defect, as it also affects the metadata uploader component.
This disclosure comes shortly after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of another high-severity NetWeaver flaw (CVE-2017-12637), which could allow an attacker to obtain sensitive SAP configuration files.
Update:
ReliaQuest has confirmed that the malicious activity described above is leveraging a new security vulnerability, now tracked as CVE-2025-31324. The company stated, This vulnerability, which we identified during our investigation published on April 22, 2025, was initially suspected to be a remote file inclusion (RFI) issue. However, SAP later confirmed it as an unrestricted file upload vulnerability, allowing attackers to upload malicious files directly to the system without authorization.
