Cybersecurity researchers have unveiled the inner workings of an exploit script targeting a critical zero-day vulnerability in SAP NetWeaver’s Visual Composer Metadata Uploader, now designated as CVE-2025–31324.
This flaw stems from a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, enabling unauthenticated file uploads that can lead to remote code execution (RCE) under the SAP service account privileges.
The script, originally published by vx-underground, automates the process by crafting HTTP POST requests to upload arbitrary files, such as malicious JSP web shells, thereby granting attackers persistent access to affected systems.
Vulnerability Exploitation
The exploit leverages the servlet’s failure to validate uploads, allowing files to be written directly to web-accessible directories like /irj/servlet_jsp/irj/root/.
In check mode, the script employs a Java deserialization payload for stealthy verification via out-of-band application security testing (OAST), where a serialized object triggers a callback to an attacker-controlled server without deploying a visible shell.
For full exploitation, it switches to uploading a JSP web shell, often encoded in Base64 within the script to evade detection, decoded at runtime, and transmitted via multipart/form-data POST requests.
According to the report, the payload, such as a helper.jsp file, incorporates command injection patterns using Runtime.getRuntime().exec() to execute system commands passed via URL parameters like ?cmd=, streaming output back to the attacker.
Supporting features include argument parsing for multi-target scanning, threading for concurrent operations, and options for legacy SSL handling and certificate bypassing, making it robust against varied network environments.
Randomization of filenames, such as generating 8-character alphanumeric strings or prefixing dots for concealment, further enhances evasion, while the script’s logic ensures compatibility with SAP’s Java-based architecture, potentially extending to WAR or JAR deployments for advanced persistence.
Defensive Measures
Post-exploitation artifacts include unusual HTTP traffic to the metadatauploader endpoint, often with python-requests User-Agents and multipart forms containing JSP filenames, alongside unexpected files in SAP directories exhibiting exec patterns or known hashes like 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087.
Server logs may reveal webshell invocations with encoded commands, outbound connections to malicious hosts for tool downloads, or anomalous processes spawned by the SAP Java engine, such as bash executions decoding Base64 payloads.
Mitigation begins with applying SAP Security Note 3594142, released in April 2025, to enforce authorization checks.
Interim steps involve network isolation of the endpoint, disabling Visual Composer if unused, and deploying WAF rules to block suspicious uploads. Detection strategies emphasize scanning for IoCs using tools like Nuclei templates, reviewing logs for unauthenticated POSTs, and monitoring egress traffic.
Endpoint detection rules targeting SAP processes launching shells or network utilities provide ongoing protection, underscoring the need for rapid patching amid widespread exploitation by cybercriminals and state actors since March 2025.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
