U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in SAP NetWeaver to its Known Exploited Vulnerabilities (KEV) catalog, warning that thousands of internet-facing applications are potentially at risk.

Researchers from ReliaQuest recently discovered the vulnerability while investigating multiple attacks on SAP NetWeaver systems. The flaw, tracked as CVE-2025-31324, has a severity score of 10/10 and stems from a lack of proper authorization checks in the SAP NetWeaver Visual Composer Metadata Uploader.

The vulnerability allows unauthenticated attackers to upload malicious executable files to the system, which can be executed on the host system, potentially leading to a full compromise of the targeted SAP environment. This is made possible by a flaw in the metadata uploader feature, designed to handle metadata files for application development and configuration in SAP applications within the NetWeaver environment.

Researchers warned that attackers exploited the Metadata Uploader to upload malicious JSP webshells using crafted POST requests, then executed them with GET requests to gain full control of the target systems. The webshells were deployed in the same root directory, had similar capabilities, and reused code from a public GitHub RCE project.

Threat actors exploited the servlet_jsp/irj/root/ path to plant JSP webshells, often named like “helper.jsp” or “cache.jsp,” enabling remote command execution. Attackers used the webshells to run system commands via GET requests, upload files, and maintain persistence.

One variant used in one of the attacks relied on Brute Ratel and Heaven’s Gate to enhance stealth and control, signaling a sophisticated threat aimed at full system compromise and data theft. The delayed follow-up after initial access suggests that the attacker may be an initial access broker, likely selling access via VPN, RDP, or vulnerabilities on forums.

According to ReliaQuest's report, the activity resembles past exploitation of CVE-2017-9844, but due to patched systems, analysts assess with high confidence that an unreported RFI flaw in SAP NetWeaver is being used. It currently remains unconfirmed whether this only impacts specific versions of NetWeaver; however, in the cases where these tactics were observed, the server had the most up-to-date patch.

CISA orders federal agencies to fix these vulnerabilities by May 20, 2025. Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure to protect against attacks exploiting the flaws in the catalog.

What You Can Do

* Review your SAP NetWeaver systems for any signs of exploitation. * Apply the latest security patch released by SAP. * Monitor your systems for any suspicious activity. * Consider implementing additional security measures to prevent exploitation.

By taking these steps, you can help protect your organization against potential threats and minimize the risk of a successful attack.