Cybersecurity experts at OP Innovate have uncovered evidence that CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver Visual Composer, was actively exploited nearly three weeks before its public disclosure.
This flaw, residing in the /developmentserver/metadatauploader endpoint, lacks proper authentication and authorization controls, enabling unauthenticated attackers to upload malicious files like web shells, leading to potential remote code execution.
Rated with a CVSS score of 10.0 by SAP, the vulnerability’s ease of exploitation and severe impact have made it a prime target for threat actors.
While the security community initially believed exploitation began post-disclosure, this finding suggests sophisticated attackers, specifically the Russian-speaking Qilin Ransomware-as-a-Service (RaaS) group, gained early access to this critical flaw, exploiting it in a major enterprise environment long before patches or alerts were available.
Early Exploitation Uncovered
During an incident response for a global enterprise, OP Innovate’s forensic analysis revealed two distinct exploitation attempts targeting CVE-2025-31324.
The first, occurring pre-disclosure, involved attackers leveraging a misconfigured load balancer to access the vulnerable endpoint, uploading JSP-based web shells to the SAP IRJ directory for remote code execution.
The attackers initiated outbound communication with Cobalt Strike command-and-control (C2) infrastructure and attempted to stage a reverse SOCKS5 tunneling tool, rs64c.exe, from IPs directly linked to Qilin’s known infrastructure, such as 184.174.96.74.
Matching indicators from Indonesia’s National Cyber and Crypto Agency (BSSN) bulletin further confirmed these ties, highlighting identical file paths and IP addresses used by Qilin.
Qilin’s Tactical Play and Defensive Wins
A second post-disclosure attempt by an unattributed actor followed a similar pattern but used different infrastructure.
Fortunately, robust defensive controls firewall blocking of C2 traffic and endpoint detection and response (EDR) quarantining of payloads prevented execution, lateral movement, or data exfiltration in both cases.
Despite successful initial access, the attackers’ post-exploitation efforts were thwarted, offering a rare glimpse into zero-day exploitation in the wild and underscoring Qilin’s strategy of targeting enterprise middleware like SAP for ransomware staging.
OP Innovate also developed a specialized WASP scanner to detect such deserialization flaws in SAP systems, which is now actively scanning for vulnerable instances.
Key Indicators of Compromise (IOCs)
| IOC Type | IOC | Hash Type | Description | Notes |
|---|---|---|---|---|
| File Hash | D1C43F8DB230BDF18C61D672440EBA12 | MD5 | Old executable (test.exe) | Downloaded to C:ProgramDatatemp.exe |
| File Hash | 6914B1F5B6843341FAFDFAA9D57818B9 | MD5 | New executable (test.exe) | Downloaded to C:ProgramDatatemp_new.exe |
| IP Address | 184.174.96.70 | – | Known Qilin C2 or payload host | Listed in BSSN bulletin |
| IP Address | 184.174.96.74 | – | Staging IP for rs64c.exe | Used for downloading reverse tunneler |
| IP Address | 180.131.145.73 | – | Qilin-associated C2 IP | Attempted communication from target system |
| URL | http://184.174.96.74/rs64c.exe | – | Download URL for reverse SOCKS5 tunneler | Hosted on Qilin-linked IP |
| File Names | random12.jsp, xxkmszdm.jsp, ran_new.jsp, etc. | – | Randomized JSP web shells | Uploaded to SAP root path |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
