Analytics Story: SAP NetWeaver Exploitation

Date: 2025-04-28 ID: a52f77e2-0632-46a5-b750-6c059bc7bbb4 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This Analytic Story covers the detection of exploitation attempts and reconnaissance activity targeting SAP NetWeaver platforms, with a focus on the critical unauthenticated file upload vulnerability CVE-2025-31324 in Visual Composer. Attackers are actively exploiting this flaw to upload arbitrary files—often webshells—via POST requests to the /developmentserver/metadatauploader endpoint, leading to full system compromise, remote code execution, and persistent access. The story includes detections for both probing (e.g., HEAD requests) and active exploitation, and highlights the significant business risks, such as data theft, operational disruption, and potential regulatory impact. Defenders can use this story to monitor, hunt, and respond to suspicious activity across SAP NetWeaver services, helping to identify both initial access and post-exploitation behaviors.

Why it matters

Attackers are actively targeting SAP NetWeaver environments through newly disclosed vulnerabilities like CVE-2025-31324, affecting the Visual Composer service. Successful exploitation can lead to remote code execution (RCE) and the deployment of webshells, giving adversaries persistent access to SAP systems. This story provides detections for reconnaissance patterns (e.g., HEAD requests receiving HTTP 200 responses) and potential exploitation behavior (e.g., POST requests leading to successful uploads), empowering defenders to quickly identify compromise attempts and mitigate them before escalation.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Java Writing JSP File Exploit Public-Facing Application, External Remote Services TTP
Windows Java Spawning Shells Exploit Public-Facing Application, External Remote Services TTP
Windows Process Injection into Commonly Abused Processes Portable Executable Injection Anomaly
SAP NetWeaver Visual Composer Exploitation Attempt Exploit Public-Facing Application Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Suricata N/A suricata suricata
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1