{
  "name": "Threat Brief: CVE-2025-31324",
  "slug": "threat-brief-cve-2025-31324",
  "description": "CVE-2025-31324 is a critical vulnerability residing in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK). While not installed by default, business analysts commonly use this component to create applications without coding, making it widely present in SAP deployments. following the public disclosure of this vulnerability, PaloAlto saw a variety of attacks exploiting this vulnerability and attempting to send different payloads to the server.",
  "published": "2025-05-12T05:05:31+00:00",
  "created_at": "2025-05-12T05:05:31+00:00",
  "modified_at": "2025-05-12T05:17:28+00:00",
  "created_at_opencti": "2025-05-12T05:05:31+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-12",
    "alliance",
    "april",
    "attempted get",
    "cve202531324",
    "goreverse",
    "hosting",
    "http",
    "ipv4 address",
    "sap netweaver",
    "sha256 hash",
    "suspected web",
    "test",
    "visual composer"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "85.106.113.168"
      },
      {
        "id": "",
        "name": "65.49.235.210"
      },
      {
        "id": "",
        "name": "47.97.42.177"
      },
      {
        "id": "",
        "name": "45.76.93.60"
      },
      {
        "id": "",
        "name": "31.192.107.157"
      },
      {
        "id": "",
        "name": "192.3.153.18"
      },
      {
        "id": "",
        "name": "158.247.224.100"
      },
      {
        "id": "",
        "name": "138.68.61.82"
      },
      {
        "id": "",
        "name": "108.171.195.163"
      },
      {
        "id": "",
        "name": "107.173.135.116"
      },
      {
        "id": "",
        "name": "103.207.14.195"
      },
      {
        "id": "",
        "name": "101.99.91.107"
      },
      {
        "id": "",
        "name": "101.32.26.154"
      },
      {
        "id": "",
        "name": "223.184.254.150"
      },
      {
        "id": "",
        "name": "206.188.197.52"
      },
      {
        "id": "",
        "name": "101.32.26.15"
      },
      {
        "id": "",
        "name": "51.79.66.183"
      },
      {
        "id": "",
        "name": "205.169.39.55"
      },
      {
        "id": "",
        "name": "https://overseas-recognized-athens-oakland.trycloudflare.com/v2.js"
      },
      {
        "id": "",
        "name": "http://65.49.235.210/download/2.jpg"
      },
      {
        "id": "",
        "name": "http://47.97.42.177:3232"
      },
      {
        "id": "",
        "name": "http://31.192.107.157:38205/ReportQueue.exe"
      },
      {
        "id": "",
        "name": "http://138.68.61.82/4544"
      },
      {
        "id": "",
        "name": "http://108.171.195.163:8000/$FILE_NAME$.txt"
      },
      {
        "id": "",
        "name": "http://158.247.224.100:38205/EACA38DB.tmp"
      },
      {
        "id": "",
        "name": "http://101.32.26.154/rymhNszS/ansgdhs.bat"
      },
      {
        "id": "",
        "name": "overseas-recognized-athens-oakland.trycloudflare.com"
      },
      {
        "id": "",
        "name": "df492597eb412c94155a7f437f593aed89cfec2f1f149eb65174c6201be69049"
      },
      {
        "id": "",
        "name": "c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28"
      },
      {
        "id": "",
        "name": "b9ef95ca541d3e05a6285411005f5fee15495251041f78e715234b09d019b92c"
      },
      {
        "id": "",
        "name": "b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee"
      },
      {
        "id": "",
        "name": "9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d"
      },
      {
        "id": "",
        "name": "888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef"
      },
      {
        "id": "",
        "name": "7aab6ec707988ff3eec37f670b6bb0e0ddd02cc0093ead78eb714abded4d4a79"
      },
      {
        "id": "",
        "name": "6c6c984727dc53af110ed08ec8b15092facb924c8ad62e86ec76b52a00a41a40"
      },
      {
        "id": "",
        "name": "5a8ddc779dcf124fe5692d15be44346fb6d742322acb0eb3c6b4e90f581c5f9e"
      },
      {
        "id": "",
        "name": "69bb809b3fee09ed3ec9138f7566cc867bd6f1e8949b5e3daff21d451c533d75"
      },
      {
        "id": "",
        "name": "598b38f44564565e0e76aa604f915ad88a20a8d5b5827151e681c8866b7ea8b0"
      },
      {
        "id": "",
        "name": "5919f2eab8a826d7ba84e6c413626f5d11ed412d7df0d3ab864f31d3a8db3763"
      },
      {
        "id": "",
        "name": "4b17beee8c2d94cf8e40efc100651d70d046f5c14a027cf97d845dc839e423f9"
      },
      {
        "id": "",
        "name": "427877aadd89f427e1815007998d9bb88309c548951a92a6e4064df001e327c2"
      },
      {
        "id": "",
        "name": "3f5fd4b23126cb21d1007b479954af619a16b0963a51f45cc32a8611e8e845b5"
      },
      {
        "id": "",
        "name": "2e6f348f8296f4e062c397d2f3708ca6fdeab2c71edfd130b2ca4c935e53c0d3"
      },
      {
        "id": "",
        "name": "1abf922a8228fd439a72cfddf1ed08ea09b59eaa4ae5eeba1d322d5f3e3c97e8"
      }
    ],
    "attack_patterns": [
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-31324"
      }
    ]
  },
  "external_refs": [
    "https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/",
    "https://otx.alienvault.com/pulse/68219dbcc29dafb76bee4224"
  ]
}