برچسب: Vulnerability

Critical SAP Vulnerability & How to Protect Your Enterprise

Executive Summary

CVE-2025-31324 is a critical remote code execution (RCE) vulnerability affecting the SAP NetWeaver Development Server, one of the core components used in enterprise environments for application development and integration. The vulnerability stems from improper validation of uploaded model files via the exposed metadatauploader endpoint. By exploiting this weakness, attackers can upload malicious files—typically crafted as application/octet-stream ZIP/JAR payloads—that the server mistakenly processes as trusted content.

The risk is significant because SAP systems form the backbone of global business operations, handling finance, supply chain, human resources, and customer data. Successful exploitation enables adversaries to gain unauthenticated remote code execution, which can lead to:

Persistent foothold in enterprise networks
Theft of sensitive business data and intellectual property
Disruption of critical SAP-driven processes
Lateral movement toward other high-value assets within the organization

Given the scale at which SAP is deployed across Fortune 500 companies and government institutions, CVE-2025-31324 poses a high-impact threat that defenders must address with urgency and precision.

Vulnerability Overview

CVE ID: CVE-2025-31324
Type: Unauthenticated Arbitrary File Upload → Remote Code Execution (RCE)
CVSS Score: 8 (Critical) (based on vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Criticality: High – full compromise of SAP systems possible
Affected Products: SAP NetWeaver Application Server (Development Server module), versions prior to September 2025 patchset
Exploitation: Active since March 2025, widely weaponized after August 2025 exploit release
Business Impact: Persistent attacker access, data theft, lateral movement, and potential disruption of mission-critical ERP operations

Threat Landscape & Exploitation

Active exploitation began in March–April 2025, with attackers uploading web shells like helper.jsp, cache.jsp, or randomly-named .jsp files to SAP servers . On Linux systems, a stealthy backdoor named Auto-Color was deployed, enabling reverse shells, file manipulation, and evasive operation .

In August 2025, the exploit script was publicly posted by “Scattered LAPSUS$ Hunters – ShinyHunters,” triggering a new wave of widespread automatic attacks . The script includes identifiable branding and taunts, a valuable signals for defenders.

Technical Details

Root Cause:
The ‘metadatauploader’ endpoint fails to sanitize uploaded binary model files. It trusts client-supplied ‘Content-Type: application/octet-stream’ payloads and parses them as valid SAP model metadata.

Trigger:

Observed Payloads: Begin with PK (ZIP header), embedding .properties + compiled bytecode that triggers code execution when parsed.

Impact: Arbitrary code execution within SAP NetWeaver server context, often leading to full system compromise.

Exploitation in the Wild

March–April 2025: First observed exploitation with JSP web shells.

August 2025: Public exploit tool released by Scattered LAPSUS$ Hunters – ShinyHunters, fueling mass automated attacks.

Reported Havoc: Over 1,200 exposed SAP NetWeaver Dev servers scanned on Shodan showed exploit attempts. Multiple confirmed intrusions across manufacturing, retail, and telecom sectors. Incidents of data exfiltration and reverse shell deployment confirmed in at least 8 large enterprises.

Exploitation

Attack Chain:
1. Prepare Payload – Attacker builds a ZIP/JAR containing malicious model definitions or classes.
2. Deliver Payload – Send crafted HTTP POST to /metadatauploader with application/octet-stream.
3. Upload Accepted – Server writes/loads the malicious file without validation.
4. Execution – Code is executed when the model is processed by NetWeaver.

Indicators in PCAP:
– POST /developmentserver/metadatauploader requests
– Content-Type: application/octet-stream with PK-prefixed binary content

Protection

– Patch: Apply SAP September 2025 security updates immediately.
– IPS/IDS Detection:
• Match on POST requests to /metadatauploader containing CONTENTTYPE=MODEL.
• Detect binary payloads beginning with PK in HTTP body.
– EDR/XDR: Monitor SAP process spawning unexpected child processes (cmd.exe, powershell, etc).
– Best Practice: Restrict development server exposure to trusted networks only.

Indicators of Compromise (IoCs)

Artifact	Details
1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087	Helper.jsp webshell
794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf	Cache.jsp webshell
0a866f60537e9decc2d32cbdc7e4dcef9c5929b84f1b26b776d9c2a307c7e36e	rrr141.jsp webshell
4d4f6ea7ebdc0fbf237a7e385885d51434fd2e115d6ea62baa218073729f5249	rrxx1.jsp webshell

Network:
– URI: /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1
– Headers: Content-Type: application/octet-stream
– Binary body beginning with PK

Files:
– Unexpected ZIP/JAR in SAP model directories
– Modified .properties files in upload paths
Processes:
– SAP NetWeaver spawning system binaries

MITRE ATT&CK Mapping

– T1190 – Exploit Public-Facing Application
– T1059 – Command Execution
– T1105 – Ingress Tool Transfer
– T1071.001 – Application Layer Protocol: Web Protocols

Patch Verification

– Confirm SAP NetWeaver patched to September 2025 release.
– Test with crafted metadatauploader request – patched servers reject binary payloads.

Conclusion

CVE-2025-31324 highlights the risks of insecure upload endpoints in enterprise middleware. A single unvalidated file upload can lead to complete SAP system compromise. Given SAP’s role in core business operations, this vulnerability should be treated as high-priority with immediate patching and network monitoring for exploit attempts.

References

– SAP Security Advisory (September 2025) – CVE-2025-31324
– NVD – https://nvd.nist.gov/vuln/detail/CVE-2025-31324
– MITRE ATT&CK Framework – https://attack.mitre.org/techniques/T1190/

Quick Heal Protection

All Quick Heal customers are protected from this vulnerability by following signatures:

HTTP/CVE-2025-31324!VS.49935
HTTP/CVE-2025-31324!SP.49639

Authors:
Satyarth Prakash
Vineet Sarote
Adrip Mukherjee

Source link

سپتامبر 10, 2025

Apache Tomcat Remote Code Execution Vulnerability
Apache Tomcat is a popular, open-source web server and servlet container maintained by the Apache Software Foundation. It provides a reliable and scalable environment for executing Java Servlets and serving web pages built using Java Server Pages (JSP). Frequently deployed in both development and production environments, Tomcat plays a crucial role in delivering dynamic Java-based web applications across various enterprise use cases.

Recently, a critical security vulnerability identified as CVE-2025-24813 was discovered in Apache Tomcat. This vulnerability exploits a flaw in the handling of partial file uploads and session file persistence, potentially allowing attackers to achieve remote code execution (RCE) under certain conditions. The issue arises from how Tomcat’s default servlet manages write operations combined with deserialization logic for persisted session files.

CVE-2025-24813

Initially published in early March with a CVSS score of 5.5, the severity of CVE-2025-24813 was later reassessed and upgraded to 9.8 (High). Recognizing the potential impact of this flaw, the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalogue, underscoring the urgency for affected organizations to patch their systems.

CVE-2025-24813 is a critical vulnerability in Apache Tomcat that can lead to remote code execution (RCE) when specific server configurations are in place. The issue arises from how Tomcat handles partial PUT requests in conjunction with file-based session persistence.

This issue becomes exploitable when the default servlet is explicitly configured with ‘readonly’ parameter is set to false — a setting that enables write operations such as HTTP PUT. By default, Tomcat sets ‘readonly’ to true, which restricts write access and helps mitigate risk. This parameter is defined in the web.xml configuration file, typically located in the conf/ directory of the Tomcat installation.

When partial PUT support is also enabled (enabled by default), an attacker can exploit this behaviour to upload a crafted serialized payload, targeting a session file. If Tomcat is configured to persist session data to disk, the uploaded file may later be automatically deserialized by the server, resulting in attacker-controlled code execution.

The vulnerability affects the following versions of Apache Tomcat:
- 11.0.0‑M1 through 11.0.2
- 10.1.0‑M1 through 10.1.34
- 9.0.0‑M1 through 9.0.98
Exploitation Prerequisites for CVE-2025-24813

To exploit CVE-2025-24813, several server-side conditions must be in place. These prerequisites enable an attacker to craft a malicious PUT request that results in the deserialization of attacker-controlled data, potentially leading to remote code execution (RCE).

The following conditions must be met:
- The default servlet’s readonly attribute is set to false, permitting write access via HTTP PUT requests
- Partial PUT functionality is enabled — i.e., Tomcat accepts the Content-Range header (enabled by default)
- The application is configured to use Tomcat’s file-based session persistence mechanism
Exploitation Flow

The exploitation of CVE-2025-24813 involves a sequence of carefully crafted steps that take advantage of Tomcat’s handling of partial file uploads and session deserialization. The following outlines a typical attack chain under vulnerable conditions:

Environment Setup: The target server must have ‘readonly’ parameter set to false for the default servlet, partial PUT support enabled, and file-based session persistence configured.

Payload Generation: The attacker generates a malicious serialized object — typically using a tool like ysoserial — embedding a command that will execute upon deserialization.

Payload Upload: The crafted payload is uploaded to the server via an HTTP PUT request with a Content-Range header. This simulates a partial upload and results in the creation of a session file on disk.

Triggering Deserialization: A follow-up request is made to the application with the JSESSIONID set to the uploaded session file’s name. This causes Tomcat to deserialize the file, assuming it to be a legitimate session object.

Code Execution: If a suitable deserialization gadget exists on the classpath, the payload is executed, leading to remote code execution under the privileges of the Tomcat process.

Mitigation

The recommended and most effective mitigation for CVE-2025-24813 is to upgrade Apache Tomcat to a version where the vulnerability has been addressed. This flaw is fully patched in the following Tomcat releases:

These versions include enhancements to the handling of temporary files created via partial PUT requests, ensuring such files are not mistakenly deserialized as session objects — thereby preventing remote code execution.

For environments where immediate upgrades are not possible, the following temporary mitigations can help reduce risk:
- Keep the default servlet’s readonly parameter set to true, which prevents write operations via PUT requests. This is the default and recommended setting.
- Disable support for partial PUT requests, especially if not used by the application. This can be achieved at the connector level or via upstream web server rules (e.g., Nginx or Apache HTTPD).
- Avoid using file-based session persistence, particularly when writable paths overlap with session storage locations.
- Review and sanitize the server classpath to remove unnecessary libraries such as commons-collections, which may introduce exploitable deserialization gadgets.
Seqrite Endpoint Protection

All Seqrite Customers are protected from this vulnerability by following signatures:
- HTTP/CVE-2025-24813!VS.49414
Authors:

Vinay Kumar

Vineet Sarote
Source link
آوریل 21, 2025