Recent findings indicate that threat actors are exploiting a critical vulnerability in SAP NetWeaver, allowing them to upload JSP-based web shells for unauthorized file uploads and code execution. This development poses a significant risk to enterprises relying on SAP solutions, especially given that many of the affected systems were already equipped with the latest security patches.
ReliaQuest, a prominent cybersecurity firm, reported a likely connection to previously disclosed vulnerabilities, including CVE-2017-9844, while also suggesting the potential existence of an unreported remote file inclusion issue. Their investigation raised concern about a zero-day vulnerability, as many exposed systems remained patched.
The vulnerability, identified in the “/developmentserver/metadatauploader” endpoint, gives unauthorized users the capability to upload malicious web shells to the “servlet_jsp/irj/root/” directory. This access allows attackers to maintain persistent control over infected systems, execute arbitrary commands, and exfiltrate sensitive information. Advanced techniques, such as the Brute Ratel C4 post-exploitation framework and the Heaven’s Gate method for evading endpoint defenses, have also been observed in certain attacks.
These incidents highlight a disturbing trend of attackers taking days to transition from initial access to full exploitation. This delay indicates the possibility that some assailants could be acting as initial access brokers, selling compromised access to other cybercriminal groups via underground forums.
ReliaQuest emphasized the high-value nature of SAP systems, frequently used by government and enterprise entities, as attackers increasingly target these installations. Organizations that neglect timely updates and security measures expose themselves to heightened risks of compromise.
Compounding the issue, SAP recently released a critical patch for a separate vulnerability (CVE-2025-31324) that allows for arbitrary file uploads. This flaw further underscores the rising threats against SAP environments, which are often targeted for their critical roles within organizations.
According to Onapsis, this latest vulnerability is particularly insidious due to its exploitation being rendered possible through unauthenticated HTTP/HTTPS requests to the vulnerable component. Following successful exploitation, attackers can upload web shells that effectively grant them unrestricted access to the entire SAP system, including its databases.
Current data reveals a troubling number of exposed SAP NetWeaver servers, with a majority located in the United States, India, and China. The existence of approximately 7,562 exposed servers worldwide reflects a critical security gap; however, it is essential to note that not all exposed instances possess this vulnerability.
As organizations strive to enhance their cybersecurity measures, they are advised to monitor specific indicators of compromise (IoCs) associated with this vulnerability. Furthermore, tools and resources are becoming available, such as open-source scanners developed by Onapsis, to help identify potentially vulnerable SAP systems.
In conclusion, the recent surge in attacks targeting SAP NetWeaver reveals the evolving landscape of cybersecurity threats. With attackers employing sophisticated methods aligned with MITRE ATT&CK tactics like initial access, persistence, and privilege escalation, businesses must prioritize their cybersecurity strategies to mitigate risks effectively.
