Threat Overview - CVE-2025-31324 - SAP NetWeaver Vulnerability
In April of 2025, SAP disclosed a critical vulnerability in their SAP NetWeaver platform (CVE-2025-31324), and it was given a CVSS score of 10.0. The vulnerable platform is used by customers to facilitate integrations within a unified SAP environment. The flaw resides within the Visual Composer component in particular, and even more specifically within the Metadata Uploader module. When exploited, it allows unauthenticated remote attackers to upload arbitrary files, including malicious executables, to vulnerable SAP NetWeaver instances. Successful exploitation of this vulnerability potentially can lead to granting operators full control over the compromised systems. It is worthy to note that it was disclosed by ReliaQuest that multiple customers were already compromised, with threat actors deploying JSP web shells to maintain persistent access in victim environments. The impact to victims is significant, as successful exploitation can lead to unauthorized access, data exfiltration, and potential system compromise.
CVE-2025-31324 - SAP NetWeaver Vulnerability Hunt Package Collection
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Related Hunt Packages
Single-Character Named Files Used for Execution
This Hunt Package identifies single character file names used at point of execution or in command line arguments with optional logic to look for the file creations
Suspicious Child Process for Java - Potential Exploitation Activity
Identifies when Java spawns unusual child processes, which can be an indication of exploitation of the Java process. Although Java may not be the target process of an exploit, it can be coaxed into executing malicious code as the result of an exploit in another service, such as Log4j or Spring-Core.
MSBuild Compilation and Execution from Suspicious Directories
This Threat Hunt package identifies the use of MSBuild.exe to compile and execute files from commonly writable or easily exploitable directories such as ProgramData, AppData, Temp, or Downloads. Adversaries often abuse MSBuild, a legitimate Microsoft tool, to compile malicious project files (.xml, .txt) staged in these locations, enabling execution of payloads without creating traditional executables. This behavior typically indicates an attempt to evade detection through Living-off-the-Land Binary (LOLBIN) techniques, bypassing security controls by blending in with legitimate system activity.
