| ID | Technique | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: SAP NetWeaver Visual Composer Exploitation Attempt
Description
Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads—commonly webshells—resulting in full system compromise. The detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation. Successful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources. Immediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.
Search
1
2| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web.Web where (Web.url IN ("/CTCWebService/CTCWebServiceBean", "/VisualComposer/services/DesignTimeService", "/ctc/CTCWebService/CTCWebServiceBean")) AND Web.http_method IN ("HEAD", "POST") AND Web.status=200 by Web.src, Web.dest, Web.http_method, Web.url, Web.http_user_agent, Web.url_length, sourcetype
3| `drop_dm_object_name("Web")`
4| eval action=case(http_method="HEAD", "Recon/Probe", http_method="POST", "Possible Exploitation")
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| table firstTime, lastTime, src, dest, http_method, action, url, user_agent, url_length, sourcetype
8| `sap_netweaver_visual_composer_exploitation_attempt_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Suricata | N/A | 'suricata' |
'suricata' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| sap_netweaver_visual_composer_exploitation_attempt_filter | search * |
sap_netweaver_visual_composer_exploitation_attempt_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
DE.AE
CIS 13
APT29
APT39
APT41
APT5
Agrius
Axiom
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Cinnamon Tempest
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN7
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
HAFNIUM
INC Ransom
Ke3chang
Kimsuky
Leviathan
Magic Hound
Moses Staff
MuddyWater
Play
Rocke
Salt Typhoon
Sandworm Team
Sea Turtle
Threat Group-3390
ToddyCat
Volatile Cedar
Volt Typhoon
Winter Vivern
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
Ensure that the Web data model is accelerated and populated with web server or web proxy logs capturing HTTP request and response data. This search relies on HTTP method, status code, and URL path fields to identify suspicious access patterns against SAP NetWeaver endpoints.
Known False Positives
Some legitimate administrative activity may access SAP NetWeaver services. However, HEAD or POST requests directly resulting in a 200 OK to Visual Composer endpoints are uncommon and should be investigated carefully.
Associated Analytic Story
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | suricata |
suricata |
| Integration | ✅ Passing | Dataset | suricata |
suricata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2