The following blog post is based on our May H1 Vulnerability Insights Report. TeamT5 Vulnerability Research Team is dedicated to providing timely mitigation and response guidelines to critical vulnerabilities. Contact us for more information about our vulnerability intelligence.
Active Exploitation of CVE-2025-31324 in SAP NetWeaver
TeamT5 has detected that a critical vulnerability (CVE-2025-31324) in SAP NetWeaver was actively exploited by China-nexus APT group, Amoeba (aka APT41). The earliest exploitation of Amoeba can be traced back to May 2025, whereas public reports suggested that the zero-day exploitation has observed in January 2025. The threat actors deployed webshell and malware, such as vshell and CobaltStrike Beacon, after successful exploitation.
Moreover, our further investigation found that several major cloud services providers were affected. Over 100 entities, including Google Cloud, Microsoft Azure, Amazon Web Service, were compromised with webshell. The victims are in Taiwan, South Korea, China, India, the United States, Spain, Turkey, Russia, Germany, Guatemala, Saint Barthélemy, and Chile, spanning education, manufacturing, automotive, recycling, tourism, IT, food and beverage, and conglomerate.
We conclude the attacks in Exploitation Status below.
Executive Summary
We assess the severity level of CVE-2025-31324 as critical and urge our customers to use this report to mitigate the effects. CVE-2025-31324 is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer Metadata Uploader. With a CVSS score of 9.8, successful exploitation of CVE-2025-31324 allows unauthenticated threat actor to upload webshell and implant malware.
SAP fixed the vulnerability in a security note released in May 2025 [1]. Yet, Public reports and Proof-of-Concepts of CVE-2025-31324 was published since April 2025 [2][3]. Public reports suggested that CVE-2025-31324 has been exploited as zero-day vulnerability in the wild since January 2025[4].
Based on our investigation and the current exploitation status of CVE-2025-31324, we depicted the Forensic Artifacts in this report. We also concluded the malware and IoC in Appendix I: Malware Table and Appendix II: Indicators of Compromise (IoC). Most importantly, we prepare a comprehensive Mitigation and Response Advisory for our customers.
The Mitigation and Response Advisory includes:
- Official Information
- Threat Hunting Tools: We provide a YARA rule to detect generic JSP webshell.
Exploitation Status
CVE-2025-31324 has been exploited by China-nexus APT group Amoeba since May 2025.
- Amoeba exploited CVE-2025-31324 in attacks against India, Germany, Turkey, Spain, spinning recycling, automotive, and tourism industry.
- In the attacks, Amoeba deployed webshell as initial payload and implanted malware such as CobaltStrike Beacon and vshell.
- The C2 of the malware are 43.133.196.194 and 101.32.26.154.
- In addition to the APT activities, our further investigation found that several major cloud services providers were affected. Over 100 entities, including Google Cloud, Microsoft Azure, Amazon Web Service, were compromised with webshell.
Affected Products
Product – SAP NetWeaver (Visual Composer development server)
Version – VCFRAMEWORK
7.50Mitigation and Response Advisory
1. Official Information
Successful exploitation of CVE-2025-31324 allows unauthenticated threat actors to upload webshell and implant malware. We highly recommend our client to patch the vulnerability immediately.
SAP fixed CVE-2025-31324 in a security note released in May 2025:
2. Threat Hunting Tools
CVE-2025-31324 allows unauthenticated threat actors to upload webshell. TeamT5 vulnerability team prepare a YARA rule for our clients to detect generic JSP webshell.
The YARA rule can be downloaded from Threat Hunting Tools in our solution ThreatVision.
Forensic Artifacts
Our investigation found that the exploitation of CVE-2025-31324 will leave following traces. Our clients can use the following Forensic Artifacts for investigation.
1. Webshells
Unauthorized threat actors can exploit CVE-2025-31324 to upload webshell to
./apps/sap.com/irj/root/ and ./apps/sap.com/irj/work/. Common webshells include cache.jsp, shell.jsp, helper.jsp, usage.jsp, user.jsp, readme.jsp.We provide the YARA rule for our customers to detect webshell.
2. Check SAP Access Log for Suspicious Activities
Exploiting CVE-2025-31324 and access webshells will generate specific content to access log. Our clients can check the access log to identify potential suspicious activities and the attacker's IPs.
- The access log can be found in SAP installation path:
./log/system/httpaccess/responses*.trc*. - Exploiting CVE-2025-31324 will generate
ATTACKER_IP : POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1 200in access log. - Accessing webshell will generate
ATTACKER_IP : GET /irj/helper.jsp?cmd=COMMAND HTTP/1.1 200in access log.
Appendix I: Malware Table
Malware Table introduces the malware mentioned in this report.
| Name | Type | Description | Attribution | First Seen |
|---|---|---|---|---|
| vshell | RAT | vshell is an open-source RAT that offers tunnel proxies and covert channels to emulate persistent attack behaviors within networks. With support for multiple protocols, robust compatibility, and extensive collaboration features, it enables blue teams to enhance security equipment assessment and bolster emergency response capabilities. vshell is widely used in red-blue attack and defense drills and confrontation simulations, simulating the strategies and techniques of APT threat actors. | Open-source | 2023.09 |
| CobaltStrike Beacon | RAT | CobaltStrike Beacon is the payload of Cobalt Strike, a commercial penetration testing software used by various red teams, ethical hackers, and threat actors. It is highly customizable with features such as key logging, file transfer, SOCKS proxying, privilege escalation, and mimikatz. CobaltStrike is a legitimate tool used by ethical hackers, but it is also a cyber weapon employed by threat actors to launch real attacks against companies and organizations. | Shared | 2016.05 |
Appendix II: Indicators of Compromise (IoC)
101.32.26.154
43.133.196.1947ec3d703d7fa41d0f13100ea352a9afd22c0e32f3fd1b2e08a83163ddcbe56d5
d560a377ffdba0efe9905d2d84492b486b115f60ee9a9efea850f67106ca9f14
3f5fd4b23126cb21d1007b479954af619a16b0963a51f45cc32a8611e8e845b5
c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28
9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105dReference
[1] SAP Security Note
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html
[2] Threat Brief: CVE-2025-31324
https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/
https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/
[3] Proof of Concept
https://github.com/ODST-Forge/CVE-2025-31324_PoC
https://github.com/ODST-Forge/CVE-2025-31324_PoC
[4] SAP NetWeaver Flaw Lets Hackers Take Full Control: CVE-2025-31324 Explained
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/