In a report issued by Unit 42, researchers disclosed that the vulnerability CVE-2025-31324, affecting SAP NetWeaverβs Visual Composer Framework (version 7.50), is being actively exploited in the wild. This flaw, rated CVSS 10.0, allows unauthenticated attackers to upload and execute arbitrary files on SAP application serversβresulting in remote code execution (RCE) and full system compromise.
The root of the vulnerability lies in a missing authorization check within the /developmentserver/metadatauploader endpoint. This insecure upload handler allows unauthenticated users to place files into web-accessible directories on the server (e.g., /irj/servlet_jsp/irj/root/), including malicious JSP web shells.
βThe attacker can then access the web shell via a web browserβ¦ [and] execute arbitrary operating system commands with the privileges of the SAP application server process,β Unit 42 explained.
Unit 42 observed attackers deploying web shells like helper.jsp, cache.jsp, and ran.jspβthe latter supporting a cmd parameter for remote command execution. The attackers then escalated activity by deploying additional tools.
Following the initial breach, attackers used the backdoor to download config.sh, which launched GOREVERSE, an advanced open-source remote shell tool offering:
SSH-based shell managementDynamic forwarding (SOCKS, SCP, SFTP)Multiple transport layers (HTTP, TLS, WebSockets)Mutual authentication for secure channelsβThe sample we observed was a 64-bit ELF binary that was obfuscated using another open-source tool called Garbleβ¦ downloaded from ocr-freespace.oss-cn-beijing.aliyuncs[.]com,β the report continued.
The threat actors also leveraged SUPERSHELL, a powerful C2 framework, and used known malicious IP addresses including 47.97.42[.]177 and 45.76.93[.]60 to maintain persistent access.
The attackers hosted payloads using legitimate cloud services such as Cloudflare Pages, where a Base64-encoded PowerShell script was hosted on d-69b.pages[.]dev. Once executed, the script:
Generated SSH keysKilled active ssh.exe and sshd.exe processesDownloaded OpenSSH binariesEstablished tunnels back to attacker-controlled infrastructureInterestingly, Unit 42βs telemetry indicates that the vulnerability may have been probed as early as January 2025, with mass exploitation observed beginning in March 2025, well before SAPβs public disclosure on April 24, 2025.
Given the ease of exploitation and critical impact, SAP NetWeaver users must immediately apply patches and monitor for unusual activity, particularly access to the /developmentserver/metadatauploader endpoint or presence of known malicious JSP files.