LoFP / some legitimate administrative activity may access sap netweaver services. however, head or post requests directly resulting in a 200 ok to visual composer endpoints are uncommon and should be investigated carefully.

Techniques

• T1190

Sample rules

SAP NetWeaver Visual Composer Exploitation Attempt

• source: splunk
• technicques:
  • T1190

Description

Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads—commonly webshells—resulting in full system compromise. The detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation. Successful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources. Immediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web.Web
  WHERE (
        Web.url IN ("/CTCWebService/CTCWebServiceBean", "/VisualComposer/services/DesignTimeService", "/ctc/CTCWebService/CTCWebServiceBean")
    )
    AND Web.http_method IN ("HEAD", "POST") AND Web.status=200
  BY Web.src, Web.dest, Web.http_method,
     Web.url, Web.http_user_agent, Web.url_length,
     sourcetype

| `drop_dm_object_name("Web")`

| eval action=case(http_method="HEAD", "Recon/Probe", http_method="POST", "Possible Exploitation")

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table firstTime, lastTime, src, dest, http_method, action, url, user_agent, url_length, sourcetype

| `sap_netweaver_visual_composer_exploitation_attempt_filter`