ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver
ID: 637c3182-bce9-5a00-b64a-37a7161a08a0
STIX ID: report--637c3182-bce9-5a00-b64a-37a7161a08a0
Feed Name: ReliaQuest Blog
ReliaQuest describes active exploitation of a critical SAP NetWeaver Visual Composer vulnerability (CVE-2025-31324) allowing unauthenticated JSP webshell uploads and remote command execution; attackers have deployed webshells to specific NetWeaver directories and used post-exploitation tooling such as Brute Ratel, PipeMagic, and Heaven’s Gate, with evidence of chaining to a deserialization bug (CVE-2025-42999) and involvement by ransomware groups (BianLian, RansomEXX). The report provides detailed TTPs, IOCs (hashes, IPs, domain, file paths), mitigation guidance (patching, disabling Visual Composer, log forwarding), and recommends immediate patching and monitoring.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.