top of page
Untitled design(3).png

CYBERLEVELING

Untitled design(3).png

Remote Shells and SAP - Inside the 2025 NetWeaver Exploits


Pixel art of a person at a computer with a large warning symbol on the screen, suggesting an error. Blue and orange tones dominate.
Pixel art of a person at a computer with a large warning symbol on the screen, suggesting an error. Blue and orange tones dominate.

In May 2025, a wave of sophisticated attacks exposed critical weaknesses within SAP NetWeaver, one of the world's most widely deployed enterprise platforms. Threat actors exploited two major vulnerabilities to gain remote access, execute arbitrary code, and in some cases, fully compromise targeted organizations.


This post unpacks the mechanics behind these exploits, explains the risk to enterprise systems, and provides actionable advice for mitigation.


The Unseen Backdoor: CVE-2025-31324


At the core of this crisis lies a zero-day flaw in SAP Visual Composer. Identified as CVE-2025-31324, the vulnerability permits unauthenticated file uploads via the metadata uploader endpoint.


Attackers exploited the following endpoint:


/VC/services/developmentserver/metadatauploader


This interface failed to validate file type, authentication, or upload location, enabling malicious actors to drop web shells such as cmd.jsp directly into accessible server paths. Once uploaded, attackers remotely accessed these files through the browser, gaining full command execution rights.


No login. No warning. Total control.


Affected systems often reside in energy, government, and healthcare infrastructures, making this breach not only a technical risk but also a national security concern.


The Chain Reaction: CVE-2025-42999


While the first vulnerability opened the door, CVE-2025-42999 deepened the compromise. This flaw allows insecure deserialization within SAP Visual Composer when authenticated users send manipulated Java objects.


Used together, these exploits offered a potent one-two punch: remote shell access followed by privilege escalation or lateral movement within the internal network.


Security researchers observed widespread weaponization of ysoserial-based payloads and web shells, followed by the deployment of post-exploitation tools like Cobalt Strike.


How to Respond


SAP has issued two essential patches:


  • SAP Note 3594142 (for CVE-2025-31324)

  • SAP Note 3604119 (for CVE-2025-42999)


If patching is delayed due to system constraints, immediate actions include:


  • Disable Visual Composer if unused

  • Restrict access to /VC/services/

  • Monitor logs for unauthorized uploads in /irj/servlet_jsp/irj/root

  • Deploy EDR rules for Java-based web shells


Final Thoughts


The 2025 SAP incident is a reminder that core enterprise systems are increasingly targeted by sophisticated actors. This was not just a technical misstep. It was an opening into the heart of global digital operations.

Related Posts

bottom of page