Cyber Security News

SAP NetWeaver 0-Day Vulnerability Enables Webshell Deployment

Cybersecurity analysts have issued a high-priority warning after several incidents revealed active exploitation of SAP NetWeaver, the widely deployed enterprise integration platform.

Attackers have leveraged an unreported 0-day vulnerability to deploy web shells, which give them remote command execution capabilities and persistent backdoor access even on fully patched systems.

CVE Details

The exposure centers around the /developmentserver/metadatauploader endpoint, a feature intended for legitimate SAP application configuration.

ReliaQuest investigators observed attackers uploading “JSP webshells” to publicly accessible directories by abusing this endpoint through specially crafted POST requests.

Malicious POST and GET requests observed with JSP webshell

The uploaded files, typically disguised as innocuous names like helper.jsp or cache.jsp, allowed attackers to run arbitrary system commands via simple GET requests.

A critical question arises: is this related to a known Remote File Inclusion (RFI) flaw, such as CVE-2017-9844, which previously allowed remote command execution through Java object serialization? Or is it an entirely new, unreported vulnerability?

Notably, several victim environments had the latest patches for CVE-2017-9844, indicating the likely presence of an undisclosed RFI issue.

This uncertainty dramatically increases the urgency for organizations to step up their defenses.

After gaining access, attackers employed advanced post-exploitation techniques to entrench themselves further:

  • Brute Ratel Framework: A commercial command-and-control (C2) toolkit used to maintain covert access, evade antivirus/EDR, and enable privilege escalation, credential harvesting, and lateral movement.
  • Heaven’s Gate Technique: By manipulating Windows process memory, attackers were able to execute code across 32- and 64-bit environments, bypassing conventional detection.

Investigators believe some attackers may be operating as initial access brokers, obtaining and then selling privileged access to compromised SAP NetWeaver systems to other cybercriminals.

With SAP NetWeaver commonly found in government agencies and global enterprises, these attacks substantially increase the risk of data theft, business disruption, and further systemic compromise.

Command used to compile code

The rapid deployment of webshells and sophisticated C2 frameworks signals a new wave of threat activity targeting even hardened SAP infrastructures.

XSS forum member discusses access by exploiting NetWeaver SAP

Defense Recommendations

  • Disable Deprecated Components: Turn off the Visual Composer tool and the “developmentserver” alias.
  • Restrict Endpoint Access: Use firewall rules to block the /developmentserver/ URL except for trusted administrator IPs.
  • Centralize and Monitor Logs: Forward all SAP NetWeaver logs to a SIEM for proactive alerting and investigation.
  • Scout for Webshells: Regularly inspect the directory j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/ for unauthorized files.

Until SAP issues an official advisory or patch, rapid response and vigilant monitoring remain critical to safeguarding against this 0-day exploitation trend.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

17 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

18 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

18 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

19 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

19 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

19 hours ago