SAP NetWeaver 0-day Vulnerability Exploited in the Wild to Deploy Webshells

A wave of targeted cyberattacks has exposed a previously unknown vulnerability in SAP NetWeaver, allowing attackers to deploy malicious JSP webshells and gain unauthorized access to enterprise systems, even those running the latest patches. 

In April 2025, security researchers at ReliaQuest identified a series of incidents where threat actors leveraged this flaw to upload and execute webshells in publicly accessible directories, raising concerns of a zero-day remote file inclusion (RFI) vulnerability that had not been previously reported or patched.

RFI Vulnerability in SAP NetWeaver

The recent wave of attacks centers on SAP NetWeaver’s /developmentserver/metadatauploader endpoint, a feature intended for handling metadata files in application development and configuration. 

Threat actors leveraged a Remote File Inclusion (RFI) vulnerability, a class of flaw in which unsanitized user input allows arbitrary files to be uploaded and executed on the server. 

In this case, attackers crafted malicious HTTP POST requests to upload JavaServer Pages (JSP) webshells directly into the directory j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/.

Once the webshells were in place, attackers could execute arbitrary commands on the compromised system simply by sending HTTP GET requests to the webshell’s URL. 

This provided full remote control, including uploading further malicious files, executing code, and exfiltrating sensitive data.

The deployed JSP webshells include helper.jsp and cache.jsp—imported Java packages to interact with system processes, provided attacker-facing HTML forms for command execution, and displayed command output directly in the browser. 

Many of these webshells were based on open-source code repositories, making them lightweight and highly compatible with NetWeaver environments.

After gaining initial access, attackers escalated their operations using advanced tools and techniques:

Brute Ratel

This commercial command-and-control (C2) framework was uploaded to the server via the webshell. Attackers wrote C# code to a file (output.txt), moved it to the ProgramData directory, and compiled it using the .NET Framework’s MSBuild utility. 

Brute Ratel was then used to inject code into the dllhost.exe process, decrypting and executing malicious payloads in memory. 

Brute Ratel is prized for its encrypted communications, payload customization, and post-exploitation capabilities such as privilege escalation and credential harvesting.

Heaven’s Gate

To evade endpoint detection, attackers used the Heaven’s Gate technique, which manipulates thread execution contexts to transition between 32-bit and 64-bit code. 

This is achieved via the Windows API call NtSetContextThread, allowing malicious code to bypass security controls.

SAP NetWeaver is widely deployed in government and enterprise environments, making it a high-value target. 

The attacks were detected even on systems with the latest SAP service packs and patches, raising concerns that this is a true zero-day or an unreported variant of a previously known issue, such as CVE-2017-9844. 

However, evidence suggests the exploit is distinct from patched vulnerabilities, indicating a new RFI flaw.

Initial access brokers may be involved, potentially selling access to compromised SAP environments on cybercriminal forums. While no direct evidence of such sales was found, SAP NetWeaver remains a frequent topic in underground communities, further underscoring the risk.

Security experts recommend the following immediate actions for SAP NetWeaver administrators:

• Disable Visual Composer and the developmentserver application alias, both of which are legacy features targeted in the exploit chain.
• Restrict access to the /developmentserver/metadatauploader endpoint via firewall rules.
• Centralize and monitor logs for suspicious activity, especially unauthorized file uploads in j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/.
• Scan for webshells using known indicators of compromise, such as the hashes for helper.jsp and cache.jsp webshells.

This campaign highlights the persistent risk of zero-day vulnerabilities in critical business platforms like SAP NetWeaver. 

Organizations are urged to review their security posture, apply available mitigations, and remain vigilant for signs of compromise as the investigation into the root cause continues.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post SAP NetWeaver 0-day Vulnerability Exploited in the Wild to Deploy Webshells appeared first on Cyber Security News.