LoFP / some legitimate administrative activity may access sap netweaver services. however, head or post requests directly resulting in a 200 ok to visual composer endpoints are uncommon and should be investigated carefully.

Techniques

• T1190

Sample rules

SAP NetWeaver Visual Composer Exploitation Attempt

• source: splunk
• technicques:
  • T1190

Description

Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads—commonly webshells—resulting in full system compromise. The detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation. Successful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources. Immediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.

Detection logic

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Web.Web WHERE

Web.url IN (
    "*/ctc/CTCWebService/CTCWebServiceBean",
    "*/CTCWebService/CTCWebServiceBean",
    "*/VisualComposer/services/DesignTimeService"
)
Web.http_method IN ("HEAD", "POST")
Web.status=200

BY Web.src Web.dest Web.http_method
   Web.url Web.http_user_agent Web.url_length


| `drop_dm_object_name("Web")`


| eval action=case(
    http_method="HEAD", "Recon/Probe",
    http_method="POST", "Possible Exploitation"
)


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`


| table firstTime lastTime src dest http_method
        action url user_agent url_length


| `sap_netweaver_visual_composer_exploitation_attempt_filter`