Onapsis and Mandiant have collaborated to release an open-source tool to assist SAP customers in identifying potential compromise related to CVE-2025-31324 and CVE-2025-42999, a critical 0-day vulnerability in SAP NetWeaver Java systems.
This tool is intended for local, white-box execution by system administrators with access to potentially affected environments. It supports vulnerability assessment, simple compromise assessment and artifact collection.
This tool currently supports the following functionality:
- Detects whether the system is vulnerable to CVE-2025-31324 and CVE-2025-42999
- Identifies known Indicators of Compromise (IOCs)
- Scans for unknown web-executable files in known exploit paths
- Collects suspicious files into a structured ZIP archive with a manifest for future forensic analysis
- Analyzes HTTP access logs for potential exploit and post-exploit activity
- Analyzes JAVA Default Traces logs for exploitation activity
- Exports log entries for matching responses in a CSV
LICENSE INFORMATION: This tool is released under the Apache 2.0 open source license. Please see bundled license information.
DISCLAIMER: This tool was developed to support urgent investigation and response efforts related to the active exploitation of CVE-2025-31324 and CVE-2025-42999. As of June 6, 2025, this tool is no longer under active development or monitoring. It remains available for future debugging and reference purposes; however, it will not receive further updates, enhancements, or ongoing support. Users should evaluate its applicability based on their current needs and use it at their own discretion.
This tool automates checking of vulnerability and IOC information running in live OS with the permissions of the user executing the script. This is NOT a substitute for forensic analysis or advanced incident response. Sophisticated attackers often clean up evidence of their intrusion while deploying rootkits and leveraging techniques to evade detection.
This tool is provided as-is, without warranty or liability. Use at your own risk.
The scripts are developed in Python 3 and require you to install the following dependencies:
python3 -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt
Once you install the dependencies, you can use Python to run the scripts and get Help from the command line.
# Syntax: python3 <tool_name>.py <path> [--single] [--offline]
Scan Parameters:
<path>--- Refers to the root directory of the SAP application file system you want to scan. This should be the base of the SAP system, either from a mounted backup or a live environment.--single--- Run a scan for a individual SID/Instance directory (not root or base SAP directory with multiple systems or instances)--offline--- Run without internet connection (no check for upgrades against GitHub API)
For a full list of command line options and flags use --help parameter.
Important
This tool scan for files under the JAVA server file system as specified in SAP Security Note 3593336:
C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\rootC:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\workC:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
If the path given is a root live file-system (for example / or C:\), the tool will expect /usr/sap standard SAP installation directory.
Then the tool will scan all <SID>/<INSTANCE>/ sub-directories by default (using wildcards).
If doing a partial scan, use --single and specify the full path to the instance folder that contains the j2ee SAP Java directory.
Caution
This design is intended to scan all possible suspicious files in all SID / Instances, while avoiding incorrect detection of familiar files.
Any file outside this standard folder structure will not be detected, and an error will be raised if j2ee sub-directory is not found.
The component manifest is also expected to be in j2ee/cluster/apps/sap.com/devserver_metadataupload_ear/ standard sub-directory.
If not found, it will not be analyzed against vulnerable un-patched versions.
Expected Log path is j2ee/cluster/<SERVER>/log/system/httpaccess/, with files named responses and trc extension for SAP propietary log format.
-clf suffix is expected for Common Log Format files. If not found, an error/warning message will be raised.
Mounted filesystem at /mnt/sapserver (component vulnerable, single instance scan for SID J00):
python3 onapsis-mandiant-CVE-2025-31324-vuln-compromise-assessment.py /mnt/sapserver/usr/sap/SID/J00 --single
[INFO] Found component at: /mnt/sapserver/usr/sap/SID/J00/j2ee/cluster/apps/sap.com/devserver_metadataupload_ear/servlet_jsp/developmentserver/root/META-INF/MANIFEST.MF, checking CVE-2025-31324... for CVE-2025-31324
[CRITICAL] Known vulnerable component version found: 7.5028.20230722071537.0000 for CVE-2025-31324
[INFO] Found component at: /mnt/sapserver/usr/sap/SID/J00/j2ee/cluster/apps/sap.com/devserver_metadataupload_ear/servlet_jsp/developmentserver/root/META-INF/MANIFEST.MF, checking CVE-2025-31324... for CVE-2025-42999
[CRITICAL] Known vulnerable component version found: 7.5028.20230722071537.0000 for CVE-2025-42999
[CRITICAL] Found known IoC file signature: /mnt/sapserver/usr/sap/SID/J00/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/helper.jsp: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[WARNING] Found suspicious unfamiliar file: /mnt/sapserver/usr/sap/SID/J00/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/JEE_jsp_some-name_timestamp.java: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[WARNING] Found suspicious unfamiliar file: /mnt/sapserver/usr/sap/SID/J00/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync/JEE_jsp_some-name_timestamp.class: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[INFO] Found log file at: /mnt/sapserver/usr/sap/SID/J00/j2ee/cluster/server0/log/system/httpaccess/responses_00.3.trc
[WARNING] Exploit attempt detected: [Apr 24, 2025 10:00:22 AM ] - 127.0.0.1 : POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1 200 271 [12]
[CRITICAL] Web executable access detected: [Apr 26, 2025 10:32:57 PM ] - 127.0.0.1 : GET /irj/helper.jsp HTTP/1.1 200 243 [6480]
[NOTICE] Web executable attempt detected: [Apr 26, 2025 10:59:12 PM ] - 127.0.0.1 : GET /irj/helper2.jsp HTTP/1.1 200 243 [169]
[NOTICE] Web executable attempt detected: [Apr 26, 2025 11:06:39 PM ] - 127.0.0.1 : GET /irj/nzwcnktc.jsp HTTP/1.1 404 738 [2]
[CRITICAL] Web executable access detected: [Apr 30, 2025 1:50:04 PM ] - 127.0.0.1 : GET /irj/cache.jsp HTTP/1.1 200 13 [185]
[INFO] Log entries successfully saved to /tmp/exploit_attempts_20250506194404.csv
[INFO] Log entries successfully saved to /tmp/webshell_access_20250506194404.csv
[INFO] Found trace file at: /mnt/sapserver/usr/sap/SID/J00/j2ee/cluster/server0/log/defaultTrace_00.4.trc
[CRITICAL] Exploitation detected on 2025 05 05 07:29:23:415 in sap.com/devserver_metadataupload_ear at log_id D000D0B7A02655210000000100005003
[CRITICAL] Exploitation detected on 2025 05 05 07:29:23:415 in sap.com/devserver_metadataupload_ear at log_id D000D0B7A02655250000000100005003
[CRITICAL] Exploitation detected on 2025 05 05 07:29:47:926 in sap.com/devserver_metadataupload_ear at log_id D000D0B7A02655290000000100005003
[INFO] Log entries successfully saved to /app/trace_events_20250508230113.csv
[INFO] Created evidence archive package at: /tmp/tmpvpfy4nhf.zip
==============================================================================
[CRITICAL] Unpatched VCFRAMEWORK Component found: Vulnerable Version Present
Detected component version: 7.5028.20230722071537.0000
...
------------------------------------------------------------------------------
[ALERT] Critical Indicator of Compromise Detected: IOC Signature Match Found
...
Detected IOC:
- helper.jsp
...
------------------------------------------------------------------------------
[CRITICAL] Web-Executable Artifacts Detected in Exploitable Locations
...
Detected Artifacts: [See attached ZIP archive for full file list and paths]
- JEE_jsp_some-name_timestamp.class
- JEE_jsp_some-name_timestamp.java
...
------------------------------------------------------------------------------
[WARNING] Potential Exploit Activity Detected
...
Pattern Matched:
/developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1
...
------------------------------------------------------------------------------
[CRITICAL] Web Executable Access Detected - Potential Post-Exploitation
Activity
...
Matched Files: [Listed in export]
- cache.jsp
- helper.jsp
- helper2.jsp
...
------------------------------------------------------------------------------
[CRITICAL] Exploitation Activity detected in Java Default Trace log
...
Exported Log File: /app/trace_events_20250508230113.csv
------------------------------------------------------------------------------
Live filesystem at / (component patched, non vulnerable):
./onapsis-mandiant-CVE-2025-31324-vuln-compromise-assessment /
[INFO] Found component at: /usr/sap/SID/J00/j2ee/cluster/apps/sap.com/devserver_metadataupload_ear/servlet_jsp/developmentserver/root/META-INF/MANIFEST.MF, checking CVE-2025-31324...
[INFO] Component found but version is patched: 7.5031.20250418122224.0000 for CVE-2025-31324
[INFO] Found component at: /usr/sap/SID/J00/j2ee/cluster/apps/sap.com/devserver_metadataupload_ear/servlet_jsp/developmentserver/root/META-INF/MANIFEST.MF, checking CVE-2025-42999...
[CRITICAL] Known vulnerable component version found: 7.5031.20250418122224.0000 for CVE-2025-42999
[INFO] No suspicious files founds
[INFO] Found log file at: /usr/sap/SID/J00/j2ee/cluster/server0/log/system/httpaccess/responses_00.0.trc
[INFO] No exploit attempts detected
[INFO] No executable access detected
[INFO] Found trace file at: /usr/sap/SID/J00/j2ee/cluster/server0/log/defaultTrace_00.1.trc
[INFO] Found trace file at: /usr/sap/SID/J00/j2ee/cluster/server0/log/defaultTrace_00.4.trc
[INFO] Found trace file at: /usr/sap/SID/J00/j2ee/cluster/server0/log/defaultTrace_00.3.trc
==============================================================================
[OK] No Indicators of Compromise Detected
...
[OK] No Web-Executable Artifacts Detected in Exploitable Locations
...
[OK] No Exploit Attempts Detected in Access Logs
...
[OK] No Access to Post-Exploit Artifacts Detected
...
[OK] No Exploitation Activity detected in Java Default Trace Logs
Live filesystem at C:\ (component not installed, non vulnerable):
onapsis-mandiant-CVE-2025-31324-vuln-compromise-assessment.exe C:\
[INFO] Component not found for CVE-2025-31324
[INFO] Component not found for CVE-2025-42999
[INFO] No suspicious files founds
[WARNING] No log folders found!
==============================================================================
[OK] No Indicators of Compromise Detected
...
[OK] No Web-Executable Artifacts Detected in Exploitable Locations
...
[WARNING] The HTTP Access log folder does not appear to be present at the
expected path: j2ee/cluster/*/log/system/httpaccess/
...
[WARNING] The Java Default Trace log folder at: j2ee/cluster/*/log/ is present
but contains no files.
For additional information about the CVE-2025-31324/CVE-2025-42999, the 0-day campaign that targeted it, and all current research please refer to:
For more information about how Onapsis can help your enterprise identify and address this vulnerability contact [email protected]
For more information about how Mandiant can help your enterprise perform forensic analysis and respond to an incident contact [email protected]