SAP NetWeaver 0-Day Vulnerability Enables Webshell Deployment

Cybersecurity analysts have issued a high-priority warning after several incidents revealed active exploitation of SAP NetWeaver, the widely deployed enterprise integration platform.

Attackers have leveraged an unreported 0-day vulnerability to deploy web shells, which give them remote command execution capabilities and persistent backdoor access even on fully patched systems.

CVE Details

The exposure centers around the /developmentserver/metadatauploader endpoint, a feature intended for legitimate SAP application configuration.

ReliaQuest investigators observed attackers uploading “JSP webshells” to publicly accessible directories by abusing this endpoint through specially crafted POST requests.

The uploaded files, typically disguised as innocuous names like helper.jsp or cache.jsp, allowed attackers to run arbitrary system commands via simple GET requests.

A critical question arises: is this related to a known Remote File Inclusion (RFI) flaw, such as CVE-2017-9844, which previously allowed remote command execution through Java object serialization? Or is it an entirely new, unreported vulnerability?

Notably, several ...