Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.
“The exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue,” ReliaQuest said in a report published this week.
The cybersecurity said the possibility of a zero-day stems from the fact that several of the impacted systems were already running the latest patches.
The flaw is assessed to be rooted in the “/developmentserver/metadatauploader” endpoint in the NetWeaver environment, enabling unknown threat actors to upload malicious JSP-based web shells in the “servlet_jsp/irj/root/” path for persistent remote access and deliver additional payloads.
Put differently, the lightweight JSP web shell is configured to upload unauthorized files, enable entrenched control over the infected hosts, execute remote code, and siphon sensitive data.
Select incidents have been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven’s Gate to bypass endpoint protections.
At least in one case, the threat actors took several days to progress from successful initial access to follow-on exploitation, raising the possibility that the attacker may be an initial access broker (IAB) that’s obtaining and selling access to other threat groups on underground forums.
“Our investigation revealed a troubling pattern, suggesting that adversaries are leveraging a known exploit and pairing it with a mix of evolving techniques to maximize their impact,” ReliaQuest said.
“SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers. As SAP solutions are often deployed on-premises, security measures for these systems are left to users; updates and patches that are not applied promptly are likely to expose these systems to greater risk of compromise.”
Coincidentally, SAP has also released an update to address a maximum severity security flaw (CVE-2025-31324, CVSS score: 10.0) that an attacker could exploit to upload arbitrary files.
“SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing an unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system,” an advisory for the vulnerability reads.
It’s likely that CVE-2025-31324 refers to the same unreported security defect given that the former also affects the metadata uploader component.
The disclosure comes a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of another high-severity NetWeaver flaw (CVE-2017-12637) that could allow an attacker to obtain sensitive SAP configuration files.
Update
ReliaQuest has confirmed to The Hacker News that the malicious activity detailed above is indeed leveraging a new security vulnerability that’s now being tracked as CVE-2025-31324.
“This vulnerability, which we identified during our investigation published on April 22, 2025, was initially suspected to be a remote file inclusion (RFI) issue,” the company said. “However, SAP later confirmed it as an unrestricted file upload vulnerability, allowing attackers to upload malicious files directly to the system without authorization.”
(The story was updated after publication to confirm the exploitation of a new zero-day flaw.)
