A newly uncovered attack is targeting SAP NetWeaver systems. According to researchers at ReliaQuest, threat actors are exploiting what appears to be a previously unknown vulnerability to quietly drop lightweight JSP web shells onto fully patched systems. Once inside, they’re able to execute code, steal data, and maintain access, all without tripping the usual alarms.
What’s even more concerning is where SAP NetWeaver runs. The platform forms the backbone of core business systems in government agencies, large enterprises, and global supply chains.
Vulnerability Breakdown
At the center of the attack is an obscure but dangerous endpoint: /developmentserver/metadatauploader. ReliaQuest found that this entry point can be abused to upload malicious files, even on systems that are fully up to date. Once the attackers gain access, they drop the web shells into a specific directory: servlet_jsp/irj/root/. From there, they can run arbitrary code, maintain a foothold in the system, and quietly siphon off data.
These uploads don’t require authentication, meaning attackers can slip through the front door without credentials. And once the shell is in place, it’s built for stealth and persistence, giving intruders continued access over time.
Suspected Zero-Day Exploit
One of the most disturbing parts of this campaign is that it hits fully patched systems. That’s led researchers to suspect the attackers are using a zero-day exploit—an undisclosed vulnerability unknown to SAP at the time of the attacks. There’s some speculation it may be tied to an older issue, CVE-2017-9844, or that it involves a new remote file inclusion (RFI) vulnerability that hasn’t been publicly documented.
SAP responded quickly once notified. The company issued an out-of-band patch—something it rarely does—addressing the flaw under CVE-2025-31324. The fix targets missing authentication checks in the MetadataUploader service, which allowed attackers to upload arbitrary files, including web shells. SAP rated the severity a 9.8 out of 10, its highest score, and warned that discovery of unknown files might already indicate compromise.
Post-Exploitation: Weaponizing the Breach
Once inside, the attackers didn’t just stop at deploying web shells. They came prepared with an arsenal of tools designed for stealth and long-term access. ReliaQuest found signs of Brute Ratel, a red team tool known for its advanced evasion capabilities. Unlike noisier counterparts like Cobalt Strike, Brute Ratel is built to slip past modern defenses.
The attackers also used Heaven’s Gate, a technique that lets 32-bit code execute 64-bit instructions, a clever way to dodge traditional detection methods. In some cases, payloads compiled with Microsoft’s MSBuild were injected directly into dllhost.exe, a legitimate Windows process. This kind of living-off-the-land approach makes it harder for defenders to spot malicious activity.
Taken together, these techniques point to a well-resourced operation focused on staying hidden, maintaining access, and quietly moving deeper into targeted environments.
Implications for Enterprises
The fallout from this kind of attack could be massive. SAP NetWeaver powers enterprise resource planning (ERP), customer relationship management (CRM), and other critical business systems. “If you want to know what a business is doing, what resources they have, and to know how money flows in and out of a company, exploiting their SAP applications is exactly where you want to be,” said John Bambenek, president of Bambenek Consulting.
That strategic value makes SAP a prime target. A successful compromise can expose sensitive data, disrupt operations, and provide a launchpad into broader enterprise systems. And because SAP environments are often treated as black boxes, security teams may not have the visibility they need to spot early warning signs.
Next Steps and Recommendations
Patching is important, but it’s not enough. As this campaign shows, attackers are finding ways around traditional defenses, even on fully updated systems. That’s why behavior-based detection needs to be part of the playbook. Watching for unexpected file uploads, unusual process behavior, or connections from unfamiliar IPs can catch what signature-based tools miss.
Public-facing SAP instances also need to be locked down. That means disabling the Visual Composer component if it’s not in use, blocking access to development endpoints like /developmentserver/metadatauploader, and placing these systems behind strong web application firewalls. Bambenek said defenders should also be watching web access logs and scanning for signs of web shells in the file system.
Beyond patching and hardening, enterprises should also be thinking long term. “SAP NetWeaver, the broader platform itself, is also being phased out, with its support ending in 2027,” said Mayuresh Dani of Qualys. “Customers should start planning for their move to a supported platform.”
Finally, this isn’t a problem any single company can solve alone. Security teams, vendors, and threat intelligence providers need to work together, share information quickly, and respond fast when new threats emerge. As long as SAP platforms remain a high-value target, collaboration will be just as important as code.
