A newly discovered vulnerability in SAP NetWeaver is actively being exploited by cybercriminals to upload malicious JSP web shells, enabling them to execute unauthorized code and take control of targeted systems. The NetWeaver Vulnerability, tracked as CVE-2025-31324, is particularly concerning due to its ability to facilitate the uploading of arbitrary files without proper authorization, posing a direct risk to businesses and government agencies using SAP solutions.
The vulnerability resides in the “/developmentserver/metadatauploader” endpoint within the SAP NetWeaver environment. Exploiting this flaw allows threat actors to upload JSP-based web shells to the “servlet_jsp/irj/root/” path, providing persistent remote access to the infected systems. These web shells enable attackers to execute remote code, upload unauthorized files, and exfiltrate sensitive data.
ReliaQuest, a cybersecurity firm, reported that this vulnerability is likely tied to either a previously disclosed flaw like CVE-2017-9844 or a remote file inclusion (RFI) issue. The fact that several impacted systems were already running the latest patches suggests the potential for a zero-day vulnerability.
Details into the SAP NetWeaver Vulnerability (CVE-2025-31324): Brute Ratel and Heaven’s Gate
Further investigation into the attacks revealed that the Brute Ratel C4 post-exploitation framework was used in some cases, along with a technique called Heaven’s Gate to evade detection by endpoint protections. This suggests that the attackers are using advanced tools and strategies to maintain control over compromised systems.
In at least one case, the attackers took several days to escalate from initial access to full exploitation. This raised suspicions that the attackers may be acting as Initial Access Brokers (IABs), who typically acquire and sell access to compromised systems on underground forums. These brokers provide valuable entry points for other threat actors, further complicating the security landscape.
SAP NetWeaver is widely used by both enterprises and government organizations, making it an attractive target for cybercriminals. The platform’s on-premises deployment model leaves it particularly vulnerable to exploitation if patches and updates are not promptly applied.
Related Vulnerabilities: CVE-2025-31324 and CVE-2017-12637
Coinciding with the discovery of CVE-2025-31324, SAP also released an update addressing another severe vulnerability, CVE-2025-31324, which could allow attackers to upload arbitrary files. This issue affects the NetWeaver Visual Composer Metadata Uploader, which lacked proper authorization protections, earning it a CVSS score of 10.0. Exploiting this vulnerability would allow unauthenticated attackers to upload potentially harmful executable binaries to the host system.
This discovery comes just a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the active exploitation of another high-severity NetWeaver flaw (CVE-2017-12637) that could allow attackers to obtain sensitive SAP configuration files.
Experts have confirmed that CVE-2025-31324 can be exploited through HTTP/HTTPS POST requests, allowing attackers to target the vulnerable “/developmentserver/metadatauploader” endpoint without requiring any authentication. Once successfully exploited, threat actors can upload arbitrary files, including web shells, which grant them full control over the system with the privileges of the SAP Operating System user.
These web shells allow the attacker to execute arbitrary commands in the system context, effectively granting them unrestricted access to any SAP resources, including the SAP system database. With this level of control, attackers can exfiltrate sensitive data, manipulate system operations, and compromise the integrity of the entire SAP environment.
