In a recent revelation, OP Innovate has uncovered early evidence of real-world exploitation of CVE-2025-31324 (CVSS 10), a critical vulnerability in SAP NetWeaver Visual Composer, weeks before the flaw was publicly disclosed. Initially assumed to be a post-disclosure threat, OP Innovateβs incident response report reveals that the attack may be linked to Qilin, a Russian-speaking Ransomware-as-a-Service (RaaS) group.
βDuring an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public,β Matan Matalon from OP Innovate stated.
This zero-day targets the /developmentserver/metadatauploader endpoint in SAP NetWeaver, allowing unauthenticated attackers to upload arbitrary files, including web shells, via simple HTTP requests.
βNo authentication required. Attack surface exposed via standard HTTP(S). Commonly deployed in enterprise SAP environments,β the report warns.
The severity lies in its trivial exploitation path and potential for full remote code execution, making it a potent gateway for ransomware operators.
Initial access was achieved by exploiting an exposed SAP Metadata Uploader endpoint, likely made vulnerable by a misconfigured load balancer. Attackers uploaded JSP-based web shells such as random12.jsp and xxkmszdm.jsp into the SAP IRJ directory, granting themselves unrestricted command execution.
The threat actor attempted to:
Communicate with Cobalt Strike C2 servers (180[.]131[.]145[.]73, 184[.]174[.]96[.]74)
Download a tunneling payload (rs64c.exe) from a known Qilin-linked IP
Rename and prepare it as svchost.exe for execution
βThe attacker downloaded the tunneling tool rs64c.exe from http[:]//184[.]174[.]96[.]74/rs64c.exe β an IP in the same subnet as the Qilin-linked IP 184[.]174[.]96[.]70.β
Shortly after public disclosure, a second attack using the same SAP vulnerability was observed. Different web shells were used, and this time PowerShell-based downloads from bashupload.com were attempted. However, no signs link this attack to the earlier one, and once again, defensive tools neutralized the threat before execution.
The Qilin connection stems from multiple overlaps:
Cobalt Strike infrastructure linked to known Qilin campaigns
Exact IP addresses and file paths matched Indonesiaβs National Cyber and Crypto Agency (BSSN) IOC bulletin
Use of rs64c.exe, a common Qilin utility, staged precisely in C:\ProgramData\
βThese direct overlapsβ¦ support a high-confidence assessment that the infrastructure leveraged in this incident aligns with known Qilin operations,β the report concludes.
Given the ease of exploitation and the exposure of SAP systems in large enterprises, OP Innovate recommends:
Patch immediately to SAPβs emergency fix
Audit exposure of internal SAP services via load balancers or proxies
Deploy WASP scanners (like the one OP Innovate developed) to detect insecure deserialization