Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer

This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer playbook and Rapid Breach Response incident type. CVE-2025-31324 is a critical zero-day vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. The vulnerability arises from missing authorization checks, allowing unauthenticated attackers to upload malicious executable binaries. Exploitation of this flaw can lead to full remote code execution (RCE) on affected systems, posing a significant risk to confidentiality, integrity, and availability. ## CVE-2025-31324 - SAP NetWeaver RCE Vulnerability ## Vulnerability Overview - **Component Affected**: SAP NetWeaver Visual Composer Metadata Uploader - **Endpoint**: `/developmentserver/metadatauploader` - **CVE ID**: CVE-2025-31324 - **CVSS Score**: 10.0 (Critical) - **Exploitability**: Unauthenticated remote attackers can exploit this without user interaction This flaw allows unauthenticated attackers to upload arbitrary files (e.g., JSP web shells), enabling remote code execution with the same privileges as the SAP application server process. [Source: Unit42 - Palo Alto Networks](https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/) ## Mitigation and Recommendations - **Apply Patch**: SAP Note #3594142 (released April 24, 2025) - **Disable Visual Composer** if not in use - **Restrict Access** to the vulnerable endpoint - **Monitor for IoCs** in `/irj/servlet_jsp/irj/root/` and suspicious traffic ## Conclusion CVE-2025-31324 is actively exploited and is critically severe. Organizations should patch immediately, monitor for compromise, and disable or restrict vulnerable components. [View official CVE details on NIST](https://nvd.nist.gov/vuln/detail/CVE-2025-31324) ## Playbook Triggers - Manually - "CVE Exploitation - 986328356" Agent rule ## Playbook Flow - Collects IoCs from Unit42 blog. - Downloads Sigma rules. - Search for CVE Exploitation alerts. - Directory enumeration to identify if there are already any suspicious files that might indicate a webshell. - Using XQL, identify potential SAP NetWeaver instances in your environment. - Using XQL, check if there are events that point to any potential webshells downloaded in the directories. - Hunt the IoCs using Panorama and 3rd party SIEM. - Remediate using "Block Indicators - Generic v3" playbook. - Provides Mitigation recommendations. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2025-31324 - SAP NetWeaver Visual Composer · 63 tasks · 4 inputs · 0 outputs

Inputs

  • SplunkEarliestTime — The earliest time for Splunk query.
  • SplunkLatestTime — The latest time for the Splunk search query.
  • QRadarTimeRange — The time range for QRadar query.
  • PlaybookDescription — The playbook description for the Rapid Breach Response layout.

Commands used

associateIndicatorsToIncident closeInvestigation createNewIndicator extractIndicators setIncident xdr-get-cloud-original-alerts xdr-get-script-execution-results xdr-script-commands-execute xdr-xql-generic-query xdr-xql-get-quota

Flowchart

no yes yes yes No Yes yes yes no yes yes yes yes yes yes Start Start Search compromised hosts - xdr-xql-generic-query Search compromised hosts xdr-xql-generic-query Manual – Search possible hosts Manual – Search possible ... Is the integration of 'XQL Query Engine' available? - IsIntegrationAvailable Is the integration of 'XQ... IsIntegrationAvailable Any results from XQL? Any results from XQL? Check XQL quota - xdr-xql-get-quota Check XQL quota xdr-xql-get-quota Is there enough quota? Is there enough quota? XQL: Identify SAP NetWeaver Instances XQL: Identify SAP NetWeav... Remediation Remediation Mitigation Mitigation Analysis Resolution - Should continue with the investigation? Analysis Resolution - Sho... Done Done Investigate Further Investigate Further Close investigation - closeInvestigation Close investigation closeInvestigation Resolution Resolution Are there any compromised hosts? Are there any compromised... WebShell XQL Hunt WebShell XQL Hunt XQL Query - Search possible webshells - xdr-xql-generic-query XQL Query - Search possib... xdr-xql-generic-query Is the integration of 'XQL Query Engine' available? - IsIntegrationAvailable Is the integration of 'XQ... IsIntegrationAvailable Check XQL quota - xdr-xql-get-quota Check XQL quota xdr-xql-get-quota Is there enough quota? Is there enough quota? Manual – Search webshells using XQL query and quarantine the files Manual – Search webshells... Potential Webshells via Script Potential Webshells via S... Mitigation Actions Mitigation Actions Get script results - xdr-get-script-execution-results Get script results xdr-get-script-execution-results Extract the script's potential files - SetAndHandleEmpty Extract the script's pote... SetAndHandleEmpty Set agent IDs to incident context - setIncident Set agent IDs to incident... setIncident Are there any potential webshells found? Are there any potential w... Set potential files paths - SetAndHandleEmpty Set potential files paths SetAndHandleEmpty Manual Action - Quarantine Manual Action - Quarantine Is there a file path? Is there a file path? Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Any results from threat hunting? Any results from threat h... Review threat hunting results Review threat hunting res... Any results from the manual XQL? Any results from the manu... Set agent IDs to incident context - setIncident Set agent IDs to incident... setIncident Get alert's extra data - xdr-get-cloud-original-alerts Get alert's extra data xdr-get-cloud-original-alerts Check for any other files in that directory - xdr-script-commands-execute Check for any other files... xdr-script-commands-execute Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Handle Rapid Breach Response Layout Handle Rapid Breach Respo... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Collect Indicators Collect Indicators Collect indicators from Unit42 blog - ParseHTMLIndicators Collect indicators from U... ParseHTMLIndicators Extract indicators from data collected - extractIndicators Extract indicators from d... extractIndicators Tag and Link Indicators Tag and Link Indicators Tag IP indicators - createNewIndicator Tag IP indicators createNewIndicator Tag CVE indicators - createNewIndicator Tag CVE indicators createNewIndicator Extract Indicators Extract Indicators Link indicators to alert - associateIndicatorsToIncident Link indicators to alert associateIndicatorsToIncident Tag File indicators - createNewIndicator Tag File indicators createNewIndicator Tag Domain indicators - createNewIndicator Tag Domain indicators createNewIndicator Threat Hunting Threat Hunting PANW PANW Search logs for related sessions - Panorama Query Logs Search logs for related s... Panorama Query Logs Panorama Panorama SIEM SIEM Download Sigma - Potential Java webshell uploads - http Download Sigma - Potenti... http Collect Detection Rules Collect Detection Rules Download Sigma - Potential command execution via webshell - http Download Sigma - Potentia... http CVE Exploitation CVE Exploitation Search CVE Exploitation alerts - SearchIncidentsV2 Search CVE Exploitation a... SearchIncidentsV2 Found CVE Exploitation alerts? Found CVE Exploitation al... Set agent ID to incident context - setIncident Set agent ID to incident ... setIncident