New SAP NetWeaver vulnerability exploited by threat actors to upload JSP web shells

Threat actors are likely taking advantage of a newly discovered vulnerability in SAP NetWeaver to upload JSP web shells, enabling them to carry out unauthorized file uploads and execute arbitrary code.

"The exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue," ReliaQuest said in a report published this week.

The cybersecurity company said that the possibility of a zero-day stems from the fact that several of the impacted systems were already running the latest patches.

The flaw is assessed to be rooted in the "/developmentserver/metadatauploader" endpoint in the NetWeaver environment, enabling unknown threat actors to upload malicious JSP-based web shells in the "servlet_jsp/irj/root/" path for persistent remote access and deliver additional payloads.

The lightweight JSP web shell is configured to upload unauthorized files, enable entrenched control over the infected hosts, execute remote code, and siphon sensitive data.

Select incidents have been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections.

At least in one case, the threat actors took several days to progress from successful initial access to follow-on exploitation, raising the possibility that the attacker may be an initial access broker (IAB) that's obtaining and selling access to other threat groups on underground forums.