Threat Overview

CVE-2025-31324: Critical SAP Vulnerability & How to Protect Your Enterprise

We noticed a new threat report published by AlienVault on September 10, 2025. The report details a critical remote code execution vulnerability (CVE-2025-31324) affecting SAP NetWeaver Development Server. This vulnerability allows attackers to upload malicious files through the metadatauploader endpoint, leading to unauthenticated remote code execution and potential enterprise network compromise.

The threat landscape for this vulnerability is significant, with active exploitation beginning in March 2025 and widespread attacks following the public release of an exploit script in August 2025. The vulnerability stems from improper validation of uploaded model files, allowing attackers to execute arbitrary code within the SAP NetWeaver server context.

Executive Summary

CVE-2025-31324 is a critical remote code execution (RCE) vulnerability affecting the SAP NetWeaver Development Server, one of the core components used in enterprise environments for application development and integration. The vulnerability stems from improper validation of uploaded model files via the exposed metadatauploader endpoint.

By exploiting this weakness, attackers can upload malicious files—typically crafted as application/octet-stream ZIP/JAR payloads—that the server mistakenly processes as trusted content. This poses a significant risk because SAP systems handle critical business operations, including finance, supply chain, human resources, and customer data.

Successful exploitation enables adversaries to gain unauthenticated remote code execution, which can lead to:

• Persistent foothold in enterprise networks
• Theft of sensitive business data and intellectual property
• Disruption of critical SAP-driven processes
• Lateral movement toward other high-value assets within the organization

Given the scale at which SAP is deployed across Fortune 500 companies and government institutions, CVE-2025-31324 poses a high-impact threat that defenders must address with urgency and precision.

Vulnerability Overview

• CVE ID: CVE-2025-31324
• Type: Unauthenticated Arbitrary File Upload → Remote Code Execution (RCE)
• CVSS Score: 8 (Critical) (based on vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
• Criticality: High – full compromise of SAP systems possible
• Affected Products: SAP NetWeaver Application Server (Development Server module), versions prior to September 2025 patchset
• Exploitation: Active since March 2025, widely weaponized after August 2025 exploit release
• Business Impact: Persistent attacker access, data theft, lateral movement, and potential disruption of mission-critical ERP operations

Threat Landscape & Exploitation

Active exploitation began in March–April 2025, with attackers uploading web shells like helper.jsp, cache.jsp, or randomly-named .jsp files to SAP servers. On Linux systems, a stealthy backdoor named Auto-Color was deployed, enabling reverse shells, file manipulation, and evasive operation.

In August 2025, the exploit script was publicly posted by “Scattered LAPSUS$ Hunters – ShinyHunters,” triggering a new wave of widespread automatic attacks. The script includes identifiable branding and taunts, providing valuable signals for defenders.

Technical Details

Root Cause:

The ‘metadatauploader’ endpoint fails to sanitize uploaded binary model files. It trusts client-supplied ‘Content-Type: application/octet-stream’ payloads and parses them as valid SAP model metadata.

Trigger:

Observed Payloads: Begin with PK (ZIP header), embedding .properties + compiled bytecode that triggers code execution when parsed.

Impact: Arbitrary code execution within SAP NetWeaver server context, often leading to full system compromise.

Exploitation in the Wild

• March–April 2025: First observed exploitation with JSP web shells.
• August 2025: Public exploit tool released by Scattered LAPSUS$ Hunters – ShinyHunters, fueling mass automated attacks.
• Reported Havoc: Over 1,200 exposed SAP NetWeaver Dev servers scanned on Shodan showed exploit attempts. Multiple confirmed intrusions across manufacturing, retail, and telecom sectors. Incidents of data exfiltration and reverse shell deployment confirmed in at least 8 large enterprises.

Exploitation

Attack Chain:

1. Prepare Payload – Attacker builds a ZIP/JAR containing malicious model definitions or classes.
2. Deliver Payload – Send crafted HTTP POST to /metadatauploader with application/octet-stream.
3. Upload Accepted – Server writes/loads the malicious file without validation.
4. Execution – Code is executed when the model is processed by NetWeaver.

Indicators in PCAP:

• POST /developmentserver/metadatauploader requests
• Content-Type: application/octet-stream with PK-prefixed binary content

Protection

Patch: Apply SAP September 2025 security updates immediately.

IPS/IDS Detection:

• Match on POST requests to /metadatauploader containing CONTENTTYPE=MODEL.
• Detect binary payloads beginning with PK in HTTP body.

EDR/XDR: Monitor SAP process spawning unexpected child processes (cmd.exe, powershell, etc).

Best Practice: Restrict development server exposure to trusted networks only.

Quick Heal Protection

All Quick Heal customers are protected from this vulnerability by following signatures:

• HTTP/CVE-2025-31324!VS.49935
• HTTP/CVE-2025-31324!SP.49639

Confidence level: 100

Reliability of the report: A – Completely reliable

Revoke status: false

Number of connected elements present in the report: 43

External reference in the report:

• Seqrite Blog
• AlienVault OTX Pulse

Please check the following page for additional information: Seqrite Blog on CVE-2025-31324