برچسب: Protect

Critical SAP Vulnerability & How to Protect Your Enterprise

Executive Summary

CVE-2025-31324 is a critical remote code execution (RCE) vulnerability affecting the SAP NetWeaver Development Server, one of the core components used in enterprise environments for application development and integration. The vulnerability stems from improper validation of uploaded model files via the exposed metadatauploader endpoint. By exploiting this weakness, attackers can upload malicious files—typically crafted as application/octet-stream ZIP/JAR payloads—that the server mistakenly processes as trusted content.

The risk is significant because SAP systems form the backbone of global business operations, handling finance, supply chain, human resources, and customer data. Successful exploitation enables adversaries to gain unauthenticated remote code execution, which can lead to:

Persistent foothold in enterprise networks
Theft of sensitive business data and intellectual property
Disruption of critical SAP-driven processes
Lateral movement toward other high-value assets within the organization

Given the scale at which SAP is deployed across Fortune 500 companies and government institutions, CVE-2025-31324 poses a high-impact threat that defenders must address with urgency and precision.

Vulnerability Overview

CVE ID: CVE-2025-31324
Type: Unauthenticated Arbitrary File Upload → Remote Code Execution (RCE)
CVSS Score: 8 (Critical) (based on vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Criticality: High – full compromise of SAP systems possible
Affected Products: SAP NetWeaver Application Server (Development Server module), versions prior to September 2025 patchset
Exploitation: Active since March 2025, widely weaponized after August 2025 exploit release
Business Impact: Persistent attacker access, data theft, lateral movement, and potential disruption of mission-critical ERP operations

Threat Landscape & Exploitation

Active exploitation began in March–April 2025, with attackers uploading web shells like helper.jsp, cache.jsp, or randomly-named .jsp files to SAP servers . On Linux systems, a stealthy backdoor named Auto-Color was deployed, enabling reverse shells, file manipulation, and evasive operation .

In August 2025, the exploit script was publicly posted by “Scattered LAPSUS$ Hunters – ShinyHunters,” triggering a new wave of widespread automatic attacks . The script includes identifiable branding and taunts, a valuable signals for defenders.

Technical Details

Root Cause:
The ‘metadatauploader’ endpoint fails to sanitize uploaded binary model files. It trusts client-supplied ‘Content-Type: application/octet-stream’ payloads and parses them as valid SAP model metadata.

Trigger:

Observed Payloads: Begin with PK (ZIP header), embedding .properties + compiled bytecode that triggers code execution when parsed.

Impact: Arbitrary code execution within SAP NetWeaver server context, often leading to full system compromise.

Exploitation in the Wild

March–April 2025: First observed exploitation with JSP web shells.

August 2025: Public exploit tool released by Scattered LAPSUS$ Hunters – ShinyHunters, fueling mass automated attacks.

Reported Havoc: Over 1,200 exposed SAP NetWeaver Dev servers scanned on Shodan showed exploit attempts. Multiple confirmed intrusions across manufacturing, retail, and telecom sectors. Incidents of data exfiltration and reverse shell deployment confirmed in at least 8 large enterprises.

Exploitation

Attack Chain:
1. Prepare Payload – Attacker builds a ZIP/JAR containing malicious model definitions or classes.
2. Deliver Payload – Send crafted HTTP POST to /metadatauploader with application/octet-stream.
3. Upload Accepted – Server writes/loads the malicious file without validation.
4. Execution – Code is executed when the model is processed by NetWeaver.

Indicators in PCAP:
– POST /developmentserver/metadatauploader requests
– Content-Type: application/octet-stream with PK-prefixed binary content

Protection

– Patch: Apply SAP September 2025 security updates immediately.
– IPS/IDS Detection:
• Match on POST requests to /metadatauploader containing CONTENTTYPE=MODEL.
• Detect binary payloads beginning with PK in HTTP body.
– EDR/XDR: Monitor SAP process spawning unexpected child processes (cmd.exe, powershell, etc).
– Best Practice: Restrict development server exposure to trusted networks only.

Indicators of Compromise (IoCs)

Artifact	Details
1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087	Helper.jsp webshell
794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf	Cache.jsp webshell
0a866f60537e9decc2d32cbdc7e4dcef9c5929b84f1b26b776d9c2a307c7e36e	rrr141.jsp webshell
4d4f6ea7ebdc0fbf237a7e385885d51434fd2e115d6ea62baa218073729f5249	rrxx1.jsp webshell

Network:
– URI: /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1
– Headers: Content-Type: application/octet-stream
– Binary body beginning with PK

Files:
– Unexpected ZIP/JAR in SAP model directories
– Modified .properties files in upload paths
Processes:
– SAP NetWeaver spawning system binaries

MITRE ATT&CK Mapping

– T1190 – Exploit Public-Facing Application
– T1059 – Command Execution
– T1105 – Ingress Tool Transfer
– T1071.001 – Application Layer Protocol: Web Protocols

Patch Verification

– Confirm SAP NetWeaver patched to September 2025 release.
– Test with crafted metadatauploader request – patched servers reject binary payloads.

Conclusion

CVE-2025-31324 highlights the risks of insecure upload endpoints in enterprise middleware. A single unvalidated file upload can lead to complete SAP system compromise. Given SAP’s role in core business operations, this vulnerability should be treated as high-priority with immediate patching and network monitoring for exploit attempts.

References

– SAP Security Advisory (September 2025) – CVE-2025-31324
– NVD – https://nvd.nist.gov/vuln/detail/CVE-2025-31324
– MITRE ATT&CK Framework – https://attack.mitre.org/techniques/T1190/

Quick Heal Protection

All Quick Heal customers are protected from this vulnerability by following signatures:

HTTP/CVE-2025-31324!VS.49935
HTTP/CVE-2025-31324!SP.49639

Authors:
Satyarth Prakash
Vineet Sarote
Adrip Mukherjee

Source link

سپتامبر 10, 2025

Using Home Assistant to integrate a Unifi Protect G4 Doorbell and Amazon Alexa to announce visitors
I am not a Home Assistant expert, but it’s clearly a massive and powerful ecosystem. I’ve interviewed the creator of Home Assistant on my podcast and I encourage you to check out that chat.

Home Assistant can quickly become a hobby that overwhelms you. Every object (entity) in your house that is even remotely connected can become programmable. Everything. Even people! You can declare that any name:value pair that (for example) your phone can expose can be consumable by Home Assistant. Questions like “is Scott home” or “what’s Scott’s phone battery” can be associated with Scott the Entity in the Home Assistant Dashboard.

I was amazed at the devices/objects that Home Assistant discovered that it could automate. Lights, remotes, Spotify, and more. You’ll find that any internally connected device you have likely has an Integration available.

Temperature, Light Status, sure, that’s easy Home Automation. But integrations and 3rd party code can give you details like “Is the Living Room dark” or “is there motion in the driveway.” From these building blocks, you can then build your own IFTTT (If This Then That) automations, combining not just two systems, but any and all disparate systems.

What’s the best part? This all runs LOCALLY. Not in a cloud or the cloud or anyone’s cloud. I’ve got my stuff running on a Raspberry Pi 4. Even better I put a Power Over Ethernet (PoE) hat on my Rpi so I have just one network wire into my hub that powers the Pi.

I believe setting up Home Assistant on a Pi is the best and easiest way to get started. That said, you can also run in a Docker Container, on a Synology or other NAS, or just on Windows or Mac in the background. It’s up to you. Optionally, you can pay Nabu Casa $5 for remote (outside your house) network access via transparent forwarding. But to be clear, it all still runs inside your house and not in the cloud.

OK, to the main point. I used to have an Amazon Ring Doorbell that would integrate with Amazon Alexa and when you pressed the doorbell it would say “Someone is at the front door” on our all Alexas. It was a lovely little integration that worked nicely in our lives.

However, I swapped out the Ring for a Unifi Protect G4 Doorbell for a number of reasons. I don’t want to pump video to outside services, so this doorbell integrates nicely with my existing Unifi installation and records video to a local hard drive. However, I lose any Alexa integration and this nice little “someone is at the door” announcement. So this seems like a perfect job for Home Assistant.

Here’s the general todo list:
- Install Home Assistant
- Install Home Assistant Community Store
- Get the UniFi Protect 3rd party integration for Home Assistant
- Get the Alexa Media Player integration
I recommend going into your Alexa app and making a Multi-room Speaker Group called “everywhere.” Not only because it’s nice to be able to say “play the music everywhere” but you can also target that “Everywhere” group in Home Assistant.

Go into your Home Assistant UI at http://homeassistant.local:8123/ and into Developer Tools. Under Services, try pasting in this YAML and clicking “call service.”
```
service: notify.alexa_media_everywhere
data:
  message: Someone is at the front door, this is a test
  data:
    type: announce
    method: speak
```
If that works, you know you can automate Alexa and make it say things. Now, go to Configuration, Automation, and Add a new Automation. Here’s mine. I used the UI to create it. Note that your Entity names may be different if you give your front doorbell camera a different name.

Notice the format of Data, it’s name value pairs within a single field’s value.

…but it also exists in a file called Automations.yaml. Note that the “to: ‘on’” trigger is required or you’ll get double announcements, one for each state change in the doorbell.
```
- id: '1640995128073'
  alias: G4 Doorbell Announcement with Alexa
  description: G4 Doorbell Announcement with Alexa
  trigger:
  - platform: state
    entity_id: binary_sensor.front_door_doorbell
    to: 'on'
  condition: []
  action:
  - service: notify.alexa_media_everywhere
    data:
      data:
        type: announce
        method: speak
      message: Someone is at the front door
  mode: single
```
It works! There’s a ton of cool stuff I can automate now!

Sponsor: Make login Auth0’s problem. Not yours. Provide the convenient login features your customers want, like social login, multi-factor authentication, single sign-on, passwordless, and more. Get started for free.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About Newsletter

Hosting By
Source link
آوریل 19, 2025