Zero-Day: New Exploit Path in SAP NetWeaver

In April 2025, ReliaQuest identified a potential new vulnerability in SAP NetWeaver, allowing attackers to upload and execute JSP webshells via the /metadatauploader endpoint. Despite patched environments, adversaries achieved remote code execution, suggesting an unreported RFI vulnerability. Advanced tools like Brute Ratel and Heaven’s Gate were used for persistence and evasion. This exploitation poses a critical threat to enterprises and government systems running SAP.

Severity Level: High

VULNERABILITY OVERVIEW:

The vulnerability uncovered in SAP NetWeaver centers on the /developmentserver/metadatauploader endpoint, which is intended to handle metadata files for application development. ReliaQuest found that this endpoint could be exploited to upload malicious JSP webshells to a publicly accessible directory (/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/) without authentication or proper input validation. Once uploaded, these webshells could be remotely executed via simple HTTP GET requests, enabling full remote code execution on the target system. Despite affected systems being fully patched, attackers bypassed protections—suggesting the presence of an unreported Remote File Inclusion (RFI) vulnerability or a variant of the previously known CVE-2017-9844. The endpoint’s insecure design, coupled with the ability to execute uploaded files, made it a potent vector for persistent exploitation and full system compromise.

ROOT CAUSE:

The vulnerability stems from insufficient input validation and access control in the metadatauploader endpoint, which is designed for uploading metadata (configuration files, serialized objects) for application development.
Key Flaws:
o The endpoint allows arbitrary file uploads via HTTP POST without proper authentication or sanitization.
o Uploaded files are saved directly to a publicly accessible web directory, enabling remote execution.
o JSP files (e.g., helper.jsp, cache.jsp) uploaded this way act as webshells capable of executing commands on the server.

EXPLOITATION CHAIN:

Initial Access:
o Attacker sends a crafted POST request to the vulnerable endpoint with a malicious .jsp payload.

Webshell Placement:
o Payloads are written to /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/
o Common file names: helper.jsp, cache.jsp.

Remote Execution:
o Attacker sends a GET request to the URL hosting the JSP file.
o Webshells execute attacker-controlled system commands via a simple web interface.

Persistence:
o Files persist on disk and offer long-term remote access if undetected.

Recommendations:

1. Restrict Access to /developmentserver/metadatauploader:
   o Block external HTTP/HTTPS access to this endpoint at the firewall or reverse proxy level.
   o Apply IP allowlists for administrative access only.
2. Isolate SAP Systems:
   o Ensure SAP NetWeaver servers are segmented from other business-critical infrastructure.
   o Block outbound internet access unless strictly required.
3. Disable Deprecated Services:
   o Disable the Visual Composer tool and its application alias (/developmentserver) if not used, as it is deprecated and vulnerable.
4. Continuously monitor directories, Restrict Write Permissions, Harden SAP Deployment.
5. Input Sanitization and Upload Restrictions:
   o Block upload of .jsp, .exe, and script files in metadata handlers.
   o Enforce strict MIME type validation and content inspection.
6. Block the IOCs at their respective controls.
   https://www.virustotal.com/gui/collection/bc090cf82edd749fdc9032847c2a40321f5ef1e017d026719472a7ce07f55bc7/iocs

Source:

• https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.