Name:SAP NetWeaver Visual Composer Exploitation Attempt id:a583b9f1-9c3a-4402-9441-b981654dea6c version:1 date:2025-04-28 author:Michael Haag, Splunk status:production type:Hunting Description:Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads—commonly webshells—resulting in full system compromise. The detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation. Successful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources. Immediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.
Data_source:
-Suricata
search:| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web.Web where (Web.url IN ("/CTCWebService/CTCWebServiceBean", "/VisualComposer/services/DesignTimeService", "/ctc/CTCWebService/CTCWebServiceBean")) AND Web.http_method IN ("HEAD", "POST") AND Web.status=200 by Web.src, Web.dest, Web.http_method, Web.url, Web.http_user_agent, Web.url_length, sourcetype | `drop_dm_object_name("Web")` | eval action=case(http_method="HEAD", "Recon/Probe", http_method="POST", "Possible Exploitation") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, src, dest, http_method, action, url, user_agent, url_length, sourcetype | `sap_netweaver_visual_composer_exploitation_attempt_filter`
