Active Exploitation of SAP NetWeaver Systems — Our Recommendation for Local Scans

by Florian RothApr 28, 2025

In recent days, major security companies such as ReliaQuest and Onapsis have disclosed the active exploitation of CVE-2025-31324, a critical vulnerability in SAP NetWeaver’s Visual Composer component. The vulnerability allows unauthenticated attackers to upload arbitrary files, particularly JSP webshells, via the vulnerable developmentserver / metadatauploader endpoint.

What is important to understand:

Over 1,100 compromised systems have already been identified.
Affected means already compromised, not merely vulnerable.
The compromised systems predominantly belong to large enterprises and critical infrastructure operators — SAP NetWeaver is rarely deployed outside large organizations.
Detection from the outside is limited to known webshell names.

Initially, security researchers observed webshells named helper.jsp and cache.jsp. However, the open-source network scanner released by Onapsis later introduced a third webshell name, nzwcnktc.jsp — a random string, clearly indicating that attackers are dropping webshells under arbitrary names.

This means that while some compromises can be identified externally (via known filenames), many cannot. Unless a thorough scan is conducted internally, using detection methods capable of identifying webshells by content rather than filename, compromises will remain hidden.

Why External Scanning is Insufficient

The open-source scanner provided by Onapsis checks for the presence of known webshells (cache.jsp, helper.jsp, nzwcnktc.jsp).

However:

Attackers can use random names for the webshells.
From the outside, without knowledge of the random filenames, you cannot reliably detect compromises.

In fact, the discovery of a randomly named webshell strongly suggests that there are already additional variants in use that external scans simply cannot find.

Source: https://github.com/Onapsis/Onapsis_CVE-2025-31324_Scanner_Tools/

Why We Recommend Running a Local Compromise Assessment

To effectively detect whether an SAP NetWeaver system has been compromised, a local scan with a tool capable of detecting generic webshell patterns is necessary.

THOR Lite and THOR Cloud Lite — the free versions of our compromise assessment scanner — provide precisely this capability:

Generic Webshell Detection

THOR Lite includes multiple content-based YARA rules that match webshells even when filenames are random or unknown. Internal tests show that THOR Lite matches 4–5 different rules on the publicly known samples.

Early Coverage

The generic webshell detection rules that triggered on the identified samples have been part of our signature set — including the open-source rule set — long before this exploitation activity became publicly known.
This underlines the strength of the generic detection approach and shows that even unknown variants could be reliably identified.

Standalone Operation

No installation required — just execute THOR Lite directly on the system.

Cross-Platform Compatibility

Supports both Linux and Windows deployments, covering the typical SAP NetWeaver environments.

Comprehensive File System Scanning

THOR Lite checks not only for file names but also content signatures, file anomalies, and system manipulation indicators.

How to Perform a Compromise Assessment

You have two options to perform a compromise assessment:

Option 1: Download and Run THOR Lite Manually

Download the right THOR Lite version for your operating system (Linux or Windows).
Extract the archive.
Execute the binary on the SAP NetWeaver system.
Review the generated scan report (HTML).

Download THOR Lite here.

Option 2: Use THOR Cloud Lite

If you prefer centralized management, web-based reporting, and easier deployments, THOR Cloud Lite is the recommended option:

Step-by-Step:

Create a Free Account at THOR Cloud Lite.
Create a Campaign:
- Name the campaign (e.g., “SAP NetWeaver Compromise Assessment”).
- Select Scan Profile → Full Scan
Choose a Launcher: Use the Linux OneLiner (recommended) or download the Launcher Binary or Bash Script.
Run the Command on your SAP NetWeaver system:
- Open a terminal.
- Paste and run the provided OneLiner.
- The launcher will:
  - Download the THOR package.
  - Start the scan automatically.
Check the Web GUI:
- Monitor scan progress.
- Review the scan results once the scan is complete.
- Look for findings related to “Webshells”, “Malware”, or “Suspicious Files”.

Conclusion

With external scans only detecting known webshells, it is important to run a local compromise assessment on SAP NetWeaver systems to be sure they are not already compromised.

To support the community, we offer THOR Lite and THOR Cloud Lite free of charge. Both include strong webshell detection based on content, not just filenames — making them well-suited to find signs of compromise even when attackers use random file names.

We recommend running a scan — whether with our tools or another method you trust.

If you want an easy and reliable option, THOR Lite and THOR Cloud Lite are available for you to use today.

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.