Researchers reported that the threat actors are utilizing webshells with names like, "cache.jsp" and "helper.jsp." Howver, Nextron Research says they are also using random names, making it more difficult to find vulnerable Netweaver instances. Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers. However, cyber defense search engine Onyphe paints a more dire picture, telling BleepingComputer that there are 1,284 vulnerable servers exposed online, with 474 already having been compromised with webshells. Multiple cybersecurity firms, including ReliaQuest, watchTowr, and Onapsis, confirmed the flaw is actively exploited in attacks, with threat actors utilizing it to drop web shells on vulnerable servers. Researchers have now confirmed that many vulnerable SAP Netweaver servers are exposed on the internet, making them prime targets for attacks. Last week, SAP disclosed an unauthenticated file upload vulnerability, tracked as CVE-2025-31324, in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component. The flaw allows remote attackers to upload arbitrary executable files on exposed instances without authenticating, achieving code execution and full system compromise. A SAP spokesperson told BleepingComputer that they were aware of these attempts and released a workaround on April 8, 2024, followed by a security update that addressed CVE-2025-31324 on April 25. The Shadowserver Foundation found the 427 exposed servers, warning of the massive exposed attack surface and the potentially severe repercussions of exploitation. Most of the vulnerable systems (149) are in the United States, followed by India (50), Australia (37), China (31), Germany (30), the Netherlands (13), Brazil (10), and France (10). "Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised," Onyphe CTO Patrice Auffret told BleepingComputer. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. While the number of servers is not massive, the risk is still significant, given that large enterprises and multinational corporations commonly use SAP NetWeaver.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 28 Apr 2025 16:50:00 +0000