Unauthenticated Hackers Exploit CVE-2025-31324 to Upload Webshells
In a significant cybersecurity concern, threat actors have been exploiting a newly identified zero-day vulnerability, designated as CVE-2025-31324, in the SAP Visual Composer. This web-based tool, although partially deprecated, remains extensively utilized by various governmental and business organizations. The security implications of this vulnerability are grave, as it allows unauthorized individuals to upload webshells, thereby potentially compromising entire systems.
The vulnerability received a maximum severity rating of 10 due to an inherent authentication flaw. As reported by SAP’s security partner, Onapsis, CVE-2025-31324 is actively being exploited, with no authentication requirements necessary for potential attackers to leverage this flaw. Consequently, only minimal technical barriers exist for unauthenticated threat actors, making it easier for them to manipulate the affected systems.
SAP Visual Composer is particularly vulnerable because it is employed for developing both transactional and analytical applications. The development server within this tool has been indicated as having widespread enablement to assist clients in creating business components without the requirement for coding. Despite SAP announcing the deprecation of some versions of Visual Composer back in 2015, it has extended maintenance for the 7.5 version up until 2030, underscoring its ongoing relevance in enterprise environments.
Attackers are exploiting this vulnerability through HTTP/HTTPS by sending POST requests specifically to the /developmentserver/metadatauploader URL. This pathway enables the upload of potentially harmful code files, with webshells being the most frequently observed artifacts. According to SAP, file names such as "helper.jsp" and "cache.jsp" have been reported, indicating a clear malicious intent behind the uploads.
The Shadow Server Foundation, an internet monitoring organization, has indicated that at least 454 IP addresses are currently vulnerable due to this flaw, with a significant concentration of those located within the United States. This widespread vulnerability poses a serious risk to many organizations still relying on the SAP Visual Composer tool.
Furthermore, the security firm ReliaQuest has identified troubling trends following the discovery of this vulnerability. Multiple client incidents involved the uploading of JSP webshells, which attackers used to execute unauthorized files. ReliaQuest noted that the end goal for these actors was to leverage the JSP file for sending GET requests capable of executing arbitrary commands. This operation gave the attackers a foothold for deeper system control, allowing them to upload unauthorized files as part of their malicious toolkit.
The techniques utilized by these attackers reveal a concerning level of sophistication. They employed the pen-testing tool Brute Ratel to load and decrypt malicious payloads, actively using these for privilege escalation, credential theft, and maintaining persistence within the compromised systems. Such tactics highlight a well-coordinated strategy among cybercriminals, who may also be leveraging credentials acquired from initial access brokers to infiltrate SAP environments.
Despite the alarming nature of these security breaches, there are recommended countermeasures that organizations can adopt. ReliaQuest advises disabling the Visual Composer entirely, as this could eliminate a significant vector of attack. If the tool is deemed necessary, their guidance extends to disabling the development server or significantly restricting access to it to mitigate risks.
The emergence of CVE-2025-31324 strongly emphasizes the crucial need for organizations to continually monitor and assess their cybersecurity postures, especially when employing legacy systems that may have known vulnerabilities. With attackers continuously evolving their tactics, a proactive approach in safeguarding sensitive data and enterprise systems is more vital than ever. Engagements with trusted cybersecurity partners might also be beneficial as companies seek to bolster their defenses against such stealthy threats.
Ultimately, as more details about the implications of CVE-2025-31324 become understood, organizations using the SAP Visual Composer must act swiftly. Ignoring these vulnerabilities could lead to severe repercussions, including data breaches, financial losses, and reputational damage. In a landscape fraught with cyber threats, being preemptive and vigilant is essential for safeguarding business interests.