Monday, May 12, 2025
HomeCVE/vulnerabilitySAP NetWeaver 0-Day Vulnerability Enables Webshell Deployment

SAP NetWeaver 0-Day Vulnerability Enables Webshell Deployment

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity analysts have issued a high-priority warning after several incidents revealed active exploitation of SAP NetWeaver, the widely deployed enterprise integration platform.

Attackers have leveraged an unreported 0-day vulnerability to deploy web shells, which give them remote command execution capabilities and persistent backdoor access even on fully patched systems.

CVE Details

The exposure centers around the /developmentserver/metadatauploader endpoint, a feature intended for legitimate SAP application configuration.

- Advertisement - Google News

ReliaQuest investigators observed attackers uploading “JSP webshells” to publicly accessible directories by abusing this endpoint through specially crafted POST requests.

Malicious POST and GET requests observed with JSP webshell

The uploaded files, typically disguised as innocuous names like helper.jsp or cache.jsp, allowed attackers to run arbitrary system commands via simple GET requests.

A critical question arises: is this related to a known Remote File Inclusion (RFI) flaw, such as CVE-2017-9844, which previously allowed remote command execution through Java object serialization? Or is it an entirely new, unreported vulnerability?

Notably, several victim environments had the latest patches for CVE-2017-9844, indicating the likely presence of an undisclosed RFI issue.

This uncertainty dramatically increases the urgency for organizations to step up their defenses.

After gaining access, attackers employed advanced post-exploitation techniques to entrench themselves further:

  • Brute Ratel Framework: A commercial command-and-control (C2) toolkit used to maintain covert access, evade antivirus/EDR, and enable privilege escalation, credential harvesting, and lateral movement.
  • Heaven’s Gate Technique: By manipulating Windows process memory, attackers were able to execute code across 32- and 64-bit environments, bypassing conventional detection.

Investigators believe some attackers may be operating as initial access brokers, obtaining and then selling privileged access to compromised SAP NetWeaver systems to other cybercriminals.

With SAP NetWeaver commonly found in government agencies and global enterprises, these attacks substantially increase the risk of data theft, business disruption, and further systemic compromise.

Command used to compile code
Command used to compile code

The rapid deployment of webshells and sophisticated C2 frameworks signals a new wave of threat activity targeting even hardened SAP infrastructures.

XSS forum member discusses access by exploiting NetWeaver SAP
XSS forum member discusses access by exploiting NetWeaver SAP

Defense Recommendations

  • Disable Deprecated Components: Turn off the Visual Composer tool and the “developmentserver” alias.
  • Restrict Endpoint Access: Use firewall rules to block the /developmentserver/ URL except for trusted administrator IPs.
  • Centralize and Monitor Logs: Forward all SAP NetWeaver logs to a SIEM for proactive alerting and investigation.
  • Scout for Webshells: Regularly inspect the directory j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/ for unauthorized files.

Until SAP issues an official advisory or patch, rapid response and vigilant monitoring remain critical to safeguarding against this 0-day exploitation trend.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...