Technical Details of SAP 0-Day Exploitation Script for RCE Revealed

Cybersecurity researchers have unveiled the inner workings of an exploit script targeting a critical zero-day vulnerability in SAP NetWeaver’s Visual Composer Metadata Uploader, now designated as CVE-2025–31324.

This flaw stems from a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, enabling unauthenticated file uploads that can lead to remote code execution (RCE) under the SAP service account privileges.

The script, originally published by vx-underground, automates the process by crafting HTTP POST requests to upload arbitrary files, such as malicious JSP web shells, thereby granting attackers persistent access to affected systems.

Vulnerability Exploitation

The exploit leverages the servlet’s failure to validate uploads, allowing files to be written directly to web-accessible directories like /irj/servlet_jsp/irj/root/.

In check mode, the script employs a Java deserialization payload for stealthy verification via out-of-band application security testing (OAST), where a serialized object triggers a callback to an attacker-controlled server without deploying a visible shell.

For full exploitation, it switches to uploading a JSP web shell, often encoded in Base64 within the script to evade detection, decoded at runtime, and transmitted via multipart/form-data POST requests.

According to the report, the payload, such as a helper.jsp file, incorporates command injection patterns using Runtime.getRuntime().exec() to execute system commands passed via URL parameters like ?cmd=, streaming output back to the attacker.

Supporting features include argument parsing for multi-target scanning, threading for concurrent operations, and options for legacy SSL handling and certificate bypassing, making it robust against varied network environments.

Randomization of filenames, such as generating 8-character alphanumeric strings or prefixing dots for concealment, further enhances evasion, while the script’s logic ensures compatibility with SAP’s Java-based architecture, potentially extending to WAR or JAR deployments for advanced persistence.

Defensive Measures

Post-exploitation artifacts include unusual HTTP traffic to the metadatauploader endpoint, often with python-requests User-Agents and multipart forms containing JSP filenames, alongside unexpected files in SAP directories exhibiting exec patterns or known hashes like 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087.

Server logs may reveal webshell invocations with encoded commands, outbound connections to malicious hosts for tool downloads, or anomalous processes spawned by the SAP Java engine, such as bash executions decoding Base64 payloads.

Mitigation begins with applying SAP Security Note 3594142, released in April 2025, to enforce authorization checks.

Interim steps involve network isolation of the endpoint, disabling Visual Composer if unused, and deploying WAF rules to block suspicious uploads. Detection strategies emphasize scanning for IoCs using tools like Nuclei templates, reviewing logs for unauthenticated POSTs, and monitoring egress traffic.

Endpoint detection rules targeting SAP processes launching shells or network utilities provide ongoing protection, underscoring the need for rapid patching amid widespread exploitation by cybercriminals and state actors since March 2025.

AWS Security Services: 10-Point Executive Checklist - Download for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!