LoFP / some legitimate administrative activity may access sap netweaver services. however, head or post requests directly resulting in a 200 ok to visual composer endpoints are uncommon and should be investigated carefully.

Techniques

• T1190

Sample rules

SAP NetWeaver Visual Composer Exploitation Attempt

• source: splunk
• technicques:
  • T1190

Description

Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads—commonly webshells—resulting in full system compromise. The detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation. Successful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources. Immediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web.Web where (Web.url IN ("/CTCWebService/CTCWebServiceBean", "/VisualComposer/services/DesignTimeService", "/ctc/CTCWebService/CTCWebServiceBean")) AND Web.http_method IN ("HEAD", "POST") AND Web.status=200 by Web.src, Web.dest, Web.http_method, Web.url, Web.http_user_agent, Web.url_length, sourcetype 
| `drop_dm_object_name("Web")` 
| eval action=case(http_method="HEAD", "Recon/Probe", http_method="POST", "Possible Exploitation") 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| table firstTime, lastTime, src, dest, http_method, action, url, user_agent, url_length, sourcetype 
| `sap_netweaver_visual_composer_exploitation_attempt_filter`