CISA Adds SAP NetWeaver Vulnerability to KEV Catalog

CISA Adds SAP NetWeaver Vulnerability to KEV Catalog


The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting SAP NetWeaver to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the urgency of remediation due to active exploitation in the wild.

1. Vulnerability Overview

CVE-2025-31324: Unrestricted File Upload Flaw

  • Description:
  • This vulnerability exists in the Metadata Uploader component of SAP NetWeaver Visual Composer.
  • It allows unauthenticated attackers to upload malicious executable files to vulnerable systems, leading to remote code execution (RCE).
  • The flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).
  • Severity:
  • CVSS Score: 10.0 (Critical).
  • Impact: Immediate full compromise of affected systems.

2. Affected Products

SAP NetWeaver Application Server Java

  • Specifically targets the Visual Composer component (VCFRAMEWORK 7.50).
  • Vulnerable endpoint: /developmentserver/metadatauploader.

3. Exploitation Details

How It Works

  • Attackers leverage the vulnerable endpoint to upload JSP webshells, providing backdoor access to compromised systems.
  • Exploitation requires no authentication or special privileges, making it highly accessible to attackers.

Observed Techniques

  • Threat actors have been observed using advanced post-exploitation tools, including:
  • Brute Ratel for red team operations.
  • Heaven’s Gate technique for bypassing security mechanisms.
  • Injection of MSBuild-compiled code into system processes for stealth.

4. Impact

Potential Risks

  • Remote Code Execution: Attackers gain full control over the targeted SAP system.
  • Data Breach: Sensitive business data, financial records, and personally identifiable information are at risk.
  • Pivoting: Exploited systems can serve as footholds for lateral movement into connected networks.

5. Mitigation Strategies

A. Apply Security Updates

SAP has released emergency patches to address CVE-2025-31324. Organizations must update their systems immediately to prevent exploitation.

B. Restrict Access

  • Limit exposure of the vulnerable endpoint (/developmentserver/metadatauploader) to trusted IP addresses.
  • Disable the Visual Composer component if it is not actively used.

C. Monitor for Exploitation

  • Forward logs to a Security Information and Event Management (SIEM) system for analysis.
  • Scan for unauthorized files in the servlet path using available tools.

6. Compliance Requirements

Federal Agencies

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by May 20, 2025.

Conclusion

The addition of CVE-2025-31324 to the KEV Catalog underscores the critical nature of this vulnerability and the importance of immediate action. Organizations using SAP NetWeaver must prioritize patching and implement robust access controls to mitigate risks.

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.