Protecting Against SAP NetWeaver Vulnerability (CVE-2025-31324) with HAProxy

What's Happening

A critical vulnerability in SAP NetWeaver (CVE-2025-31324) is currently being exploited in the wild. Disclosed on April 24, 2025, this vulnerability has the highest possible CVSS score of 10.0, indicating severe risk.

The vulnerability affects SAP NetWeaver Application Server Java's Visual Composer Framework (version 7.50), allowing unauthenticated attackers to upload arbitrary files to NetWeaver servers. This can lead to remote code execution and complete system compromise.

How the Attack Works

The vulnerability exists because of a missing authorization check in the /developmentserver/metadatauploader endpoint. Attackers can:

  1. Send specially crafted HTTP requests to this endpoint without authentication

  2. Upload malicious files (typically JSP web shells) to the server

  3. Execute these web shells to gain command execution with the privileges of the SAP application server process

  4. Achieve persistent access and deploy additional malicious tools

According to Palo Alto Networks' Unit 42, attackers are actively exploiting this vulnerability to deploy web shells named helper.jsp, cache.jsp, and ran.jsp. After gaining initial access, they conduct reconnaissance and deploy more sophisticated tools like GOREVERSE (a reverse shell tool) and SSH SOCKS proxies.

Protecting Your Systems with HAProxy

If you're using HAProxy in front of SAP NetWeaver systems, you can implement an immediate mitigation while waiting for official patches. Here's a simple configuration that will block the exploit:

# Match both POST and PUT methods that could be used for uploads
acl is_upload method POST PUT
acl is_sap_uploader path -m beg /developmentserver/metadatauploader
# Block the requests
http-request deny deny_status 403 if is_upload is_sap_uploader
Add this configuration to your HAProxy frontend section that handles SAP NetWeaver traffic.
view raw basic.cfg hosted with ❤ by GitHub

Enhanced Logging Rules

For more comprehensive visibility, consider these additional rules:

# Log blocked attempts (optional)
http-request capture req.hdr(host) len 50 if is_upload is_sap_uploader
http-request capture req.hdr(user-agent) len 100 if is_upload is_sap_uploader
view raw log.cfg hosted with ❤ by GitHub

Additional Defensive Measures

While HAProxy can provide an immediate layer of protection, you should also:

  1. Apply official SAP patches as soon as possible

  2. Monitor network traffic for suspicious requests to the vulnerable endpoint

  3. Check your servers for signs of compromise, particularly looking for web shells and unusual processes

  4. Review logs for suspicious activity, especially requests to /developmentserver/metadatauploader

  5. Consider implementing network segmentation to limit access to SAP systems

Indicators of Compromise

According to Palo Alto Networks, watch for these signs of potential compromise:

  • Web shells named helper.jsp, cache.jsp, ran.jsp, or similar in web-accessible directories

  • Unexpected outbound connections to known C2 servers, including 47.97.42[.]177 and 45.76.93[.]60

  • Suspicious domains like ocr-freespace.oss-cn-beijing.aliyuncs[.]com and d-69b.pages[.]dev

  • Unexpected PowerShell or bash commands attempting to download and execute scripts

Enhanced Protection with HAProxy Enterprise and Fusion

While the configuration above works with any HAProxy deployment, HAProxy Enterprise provides additional layers of security that can help protect against this and other vulnerabilities:

  • Web Application Firewall (WAF): HAProxy Enterprise includes a built-in WAF that can detect and block suspicious payloads before they reach your SAP systems

  • Advanced ACLs: Create more sophisticated matching rules to identify malicious traffic patterns

  • Real-time monitoring: Get immediate alerts on blocked attack attempts

For organizations managing multiple HAProxy instances, HAProxy Fusion makes implementing these security fixes across your entire infrastructure efficient and straightforward:

  • Deploy configuration changes like these security rules to all your clusters simultaneously

  • Ensure consistent protection across your entire SAP ecosystem

  • Monitor attack attempts from a central dashboard

  • Validate that security rules are correctly implemented across all environments

These tools provide the multi-layered security approach needed to defend against sophisticated threats while simplifying security management.

Conclusion

This vulnerability highlights the importance of in-depth defense. While patching is the ultimate solution, HAProxy provides a quick and effective way to mitigate the risk while you work through your patching process.

Stay secure, and remember that this simple HAProxy configuration could save your SAP systems from compromise.

For more information, refer to the official SAP security advisory and the detailed threat brief from Palo Alto Networks.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.