Techniques
Sample rules
SAP NetWeaver Visual Composer Exploitation Attempt
- source: splunk
- technicques:
- T1190
Description
Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads—commonly webshells—resulting in full system compromise. The detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation. Successful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources. Immediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web.Web where (Web.url IN ("/CTCWebService/CTCWebServiceBean", "/VisualComposer/services/DesignTimeService", "/ctc/CTCWebService/CTCWebServiceBean")) AND Web.http_method IN ("HEAD", "POST") AND Web.status=200 by Web.src, Web.dest, Web.http_method, Web.url, Web.http_user_agent, Web.url_length, sourcetype
| `drop_dm_object_name("Web")`
| eval action=case(http_method="HEAD", "Recon/Probe", http_method="POST", "Possible Exploitation")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime, lastTime, src, dest, http_method, action, url, user_agent, url_length, sourcetype
| `sap_netweaver_visual_composer_exploitation_attempt_filter`