{"id":3686,"date":"2025-04-30T12:12:34","date_gmt":"2025-04-30T04:12:34","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3686"},"modified":"2025-04-30T12:15:44","modified_gmt":"2025-04-30T04:15:44","slug":"%e7%be%8e%e5%9c%8b-cisa-%e5%b0%87-sap-netweaver-%e6%bc%8f%e6%b4%9e%e5%88%97%e5%85%a5%e3%80%8c%e5%b7%b2%e7%9f%a5%e9%81%ad%e5%88%a9%e7%94%a8%e6%bc%8f%e6%b4%9e%e3%80%8d%e6%b8%85%e5%96%ae%ef%bc%9a","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3686","title":{"rendered":"\u7f8e\u570b CISA \u5c07 SAP NetWeaver \u6f0f\u6d1e\u5217\u5165\u300c\u5df2\u77e5\u906d\u5229\u7528\u6f0f\u6d1e\u300d\u6e05\u55ae\uff1a\u96f6\u6642\u5dee\u653b\u64ca\u73fe\u8e64\uff0c\u5168\u9762\u4fee\u88dc\u8feb\u5728\u7709\u776b"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"692\" height=\"588\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/04\/image-12.png\" alt=\"\" class=\"wp-image-3687\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/04\/image-12.png 692w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/04\/image-12-300x255.png 300w\" sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/04\/29\/cisa-adds-one-known-exploited-vulnerability-catalog\">\u7f8e\u570b\u7db2\u8def\u5b89\u5168\u66a8\u57fa\u790e\u8a2d\u65bd\u5b89\u5168\u5c40<\/a>\uff08CISA\uff09\u65e5\u524d\u6b63\u5f0f\u5c07 SAP NetWeaver \u7684\u4e00\u9805\u9ad8\u98a8\u96aa\u6f0f\u6d1e\uff08<a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-31324\">CVE-2025-31324<\/a>\uff09\u7d0d\u5165\u5176\u300c\u5df2\u77e5\u906d\u5229\u7528\u6f0f\u6d1e\uff08Known Exploited Vulnerabilities, KEV\uff09\u300d\u76ee\u9304\u4e2d\u3002<\/p>\n\n\n\n<p>\u6b64\u6f0f\u6d1e\u65bc\u4e0a\u9031\u88ab\u7814\u7a76\u4eba\u54e1\u63ed\u9732\u70ba\u4e00\u9805\u96f6\u6642\u5dee\uff08Zero-day\uff09\u6f0f\u6d1e\uff0cCVSS \u8a55\u5206\u9054\u5230\u6700\u9ad8\u7684 10 \u5206\uff08\u6eff\u5206 10 \u5206\uff09\uff0c\u4e26\u5df2\u78ba\u8a8d\u906d\u5230\u5be6\u969b\u653b\u64ca\u8005\u5229\u7528\u3002\u5168\u7403\u6578\u4ee5\u5343\u8a08\u76f4\u63a5\u66b4\u9732\u65bc\u7db2\u969b\u7db2\u8def\u7684 SAP \u61c9\u7528\u7cfb\u7d71\u6b63\u9762\u81e8\u91cd\u5927\u6f5b\u5728\u98a8\u96aa\u3002<\/p>\n\n\n\n<p>\u9019\u500b\u6f0f\u6d1e\u5b58\u5728\u65bc SAP NetWeaver \u7684 Visual Composer Metadata Uploader \u5143\u4ef6\uff0c\u4e3b\u8981\u662f\u56e0\u70ba\u7f3a\u4e4f\u9069\u7576\u7684\u6388\u6b0a\u6aa2\u67e5\uff0c\u5c0e\u81f4\u672a\u7d93\u9a57\u8b49\u7684\u653b\u64ca\u8005\uff08\u5373\u672a\u6301\u6709\u6709\u6548\u6191\u8b49\u8005\uff09\u53ef\u4ee5\u76f4\u63a5\u4e0a\u50b3\u60e1\u610f\u53ef\u57f7\u884c\u6a94\u81f3\u76ee\u6a19\u7cfb\u7d71\u3002<\/p>\n\n\n\n<p>\u4e00\u65e6\u9019\u4e9b\u6a94\u6848\u6210\u529f\u4e0a\u50b3\u4e26\u57f7\u884c\uff0c\u653b\u64ca\u8005\u5c07\u6709\u6a5f\u6703\u5b8c\u5168\u63a5\u7ba1 SAP \u7cfb\u7d71\u74b0\u5883\u3002SAP \u5df2\u65bc 2025 \u5e74 4 \u6708\u7684 Security Patch Day \u4e2d\u767c\u5e03\u4fee\u88dc\u7a0b\u5f0f\u4ee5\u4fee\u6b63\u6b64\u554f\u984c\u3002<\/p>\n\n\n\n<p>\u8cc7\u5b89\u696d\u8005<a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise\/\">ReliaQuest <\/a>\u7684\u7814\u7a76\u4eba\u54e1\u5728\u8abf\u67e5\u591a\u8d77\u653b\u64ca\u4e8b\u4ef6\u6642\u767c\u73fe\u6b64\u6f0f\u6d1e\uff0c\u5176\u4e2d\u90e8\u5206\u6848\u4f8b\u5373\u4fbf\u7cfb\u7d71\u5df2\u5957\u7528\u6700\u65b0\u4fee\u88dc\u7a0b\u5f0f\u4ecd\u906d\u5165\u4fb5\u3002<\/p>\n\n\n\n<p>\u300c\u6211\u5011\u65bc 2025 \u5e74 4 \u6708 22 \u65e5\u767c\u8868\u4e86\u91dd\u5c0d SAP NetWeaver \u7cfb\u7d71\u906d\u653b\u64ca\u7684\u8abf\u67e5\u5831\u544a\uff0c\u9032\u800c\u767c\u73fe\u9019\u500b\u95dc\u9375\u6f0f\u6d1e\uff0c\u5f8c\u4f86\u88ab SAP \u78ba\u8a8d\u70ba CVE-2025-31324\uff0c\u56b4\u91cd\u6027\u8a55\u70ba 10 \u5206\u3002\u300dReliaQuest \u7684\u5831\u544a\u6307\u51fa\u3002\u300c\u539f\u5148\u4ee5\u70ba\u662f\u9060\u7aef\u6a94\u6848\u5305\u542b\uff08RFI\uff09\u554f\u984c\uff0c\u7d93\u78ba\u8a8d\u5f8c\u5be6\u70ba\u7121\u9650\u5236\u6a94\u6848\u4e0a\u50b3\uff08Unrestricted File Upload\uff09\u6f0f\u6d1e\uff0cSAP \u96a8\u5373\u767c\u4f48\u4fee\u88dc\u7a0b\u5f0f\uff0c\u6211\u5011\u5f37\u70c8\u5efa\u8b70\u7acb\u5373\u5957\u7528\u3002\u300d<\/p>\n\n\n\n<p>\u7814\u7a76\u4eba\u54e1\u6307\u51fa\uff0cSAP \u7cfb\u7d71\u7531\u65bc\u88ab\u5168\u7403\u653f\u5e9c\u6a5f\u95dc\u8207\u5927\u578b\u4f01\u696d\u5ee3\u6cdb\u63a1\u7528\uff0c\u56e0\u6b64\u59cb\u7d42\u662f\u653b\u64ca\u8005\u9ad8\u5ea6\u9396\u5b9a\u7684\u76ee\u6a19\u3002ReliaQuest \u5728\u6f0f\u6d1e\u516c\u958b\u524d\uff0c\u5df2\u901a\u5831 SAP \u4e26\u540c\u6b65\u90e8\u7f72\u5075\u6e2c\u6a5f\u5236\u4ee5\u5f37\u5316\u5c0d\u5ba2\u6236\u7684\u9632\u8b77\u3002<\/p>\n\n\n\n<p>\u5728\u5be6\u969b\u653b\u64ca\u6848\u4f8b\u4e2d\uff0c\u5a01\u8105\u884c\u70ba\u8005\u900f\u904e\u7279\u88fd\u7684 POST \u8acb\u6c42\uff0c\u5229\u7528 Metadata Uploader \u4e0a\u50b3\u60e1\u610f\u7684 JSP webshell\uff0c\u4e26\u4f7f\u7528 GET \u8acb\u6c42\u9032\u884c\u9060\u7aef\u57f7\u884c\uff0c\u85c9\u6b64\u5168\u9762\u638c\u63a7\u76ee\u6a19\u7cfb\u7d71\u3002\u9019\u4e9b webshell \u591a\u90e8\u7f72\u65bc\u540c\u4e00\u500b\u6839\u76ee\u9304\uff0c\u5177\u5099\u985e\u4f3c\u529f\u80fd\uff0c\u4e26\u91cd\u8907\u4f7f\u7528\u4f86\u81ea\u516c\u958b GitHub \u4e0a\u7684\u9060\u7aef\u7a0b\u5f0f\u78bc\u57f7\u884c\uff08RCE\uff09\u5c08\u6848\u4ee3\u78bc\u3002<\/p>\n\n\n\n<p>\u300c\u6b64\u6f0f\u6d1e\u4f4d\u65bc \/developmentserver\/metadatauploader \u7aef\u9ede\uff0c\u539f\u8a2d\u8a08\u662f\u70ba SAP NetWeaver \u74b0\u5883\u4e2d\u7684\u61c9\u7528\u958b\u767c\u8207\u914d\u7f6e\u6d41\u7a0b\u8655\u7406 metadata \u6a94\u6848\u3002\u300d\u5831\u544a\u4e2d\u5beb\u9053\uff0c\u300c\u4f46\u5728\u6211\u5011\u8abf\u67e5\u7684\u4e8b\u4ef6\u4e2d\uff0c\u653b\u64ca\u8005\u85c9\u7531\u7cbe\u5fc3\u69cb\u9020\u7684 POST \u8acb\u6c42\uff0c\u4e0a\u50b3 JSP webshell \u81f3 j2ee\/cluster\/apps\/sap.com\/irj\/servletjsp\/irj\/root\/ \u8cc7\u6599\u593e\u4e2d\uff0c\u4e26\u900f\u904e\u7c21\u55ae\u7684 GET \u8acb\u6c42\u57f7\u884c\uff0c\u5fb9\u5e95\u63a7\u5236\u7cfb\u7d71\uff0c\u5c07\u6b64\u7aef\u9ede\u8b8a\u6210\u653b\u64ca\u8df3\u677f\u3002\u300d<\/p>\n\n\n\n<p>\u653b\u64ca\u8005\u6240\u690d\u5165\u7684 webshell\uff08\u5982 helper.jsp \u6216 cache.jsp\uff09\u5141\u8a31\u57f7\u884c\u7cfb\u7d71\u6307\u4ee4\u3001\u4e0a\u50b3\u6a94\u6848\u8207\u5efa\u7acb\u6301\u4e45\u5b58\u53d6\u6b0a\u9650\u3002\u6709\u4e00\u500b\u8b8a\u7a2e\u751a\u81f3\u7d50\u5408 Brute Ratel \u8207 Heaven\u2019s Gate \u6280\u8853\uff0c\u4ee5\u589e\u5f37\u96b1\u853d\u6027\u8207\u64cd\u63a7\u80fd\u529b\uff0c\u986f\u793a\u9019\u662f\u4e00\u5834\u91dd\u5c0d\u7cfb\u7d71\u5168\u9762\u6ef2\u900f\u8207\u8cc7\u6599\u7aca\u53d6\u7684\u9ad8\u968e\u5a01\u8105\u884c\u52d5\u3002<\/p>\n\n\n\n<p>\u6709\u8da3\u7684\u662f\uff0c\u6709\u4e9b\u653b\u64ca\u6848\u4f8b\u4e2d\uff0c\u5f9e\u521d\u59cb\u5165\u4fb5\u5230\u5f8c\u7e8c\u884c\u52d5\u4e4b\u9593\u5b58\u5728\u6578\u65e5\u9593\u9694\uff0c\u7814\u5224\u653b\u64ca\u8005\u6975\u53ef\u80fd\u662f\u300c\u521d\u59cb\u5b58\u53d6\u4ef2\u4ecb\u5546\u300d\uff08Initial Access Broker\uff09\uff0c\u900f\u904e VPN\u3001RDP \u6216\u6f0f\u6d1e\u653b\u64ca\u7b49\u65b9\u5f0f\u7372\u53d6\u5165\u4fb5\u9ede\u5f8c\uff0c\u518d\u8f49\u552e\u7d66\u5176\u4ed6\u5a01\u8105\u884c\u70ba\u8005\u3002<\/p>\n\n\n\n<p>\u300c\u6211\u5011\u89c0\u5bdf\u5230\u67d0\u6b21\u653b\u64ca\u4e2d\uff0c\u5f9e\u53d6\u5f97\u521d\u59cb\u5b58\u53d6\u6b0a\u5230\u9032\u884c\u5f8c\u7e8c\u64cd\u4f5c\u82b1\u4e86\u6578\u5929\u6642\u9593\uff0c\u56e0\u6b64\u6211\u5011\u63a8\u6e2c\u8a72\u653b\u64ca\u8005\u61c9\u70ba\u521d\u59cb\u5b58\u53d6\u4ef2\u4ecb\uff0c\u4e26\u900f\u904e\u5730\u4e0b\u8ad6\u58c7\u8ca9\u552e\u5c0d\u53d7\u5bb3\u7d44\u7e54\u7684\u5b58\u53d6\u6b0a\u9650\u3002\u300d\u5831\u544a\u6307\u51fa\u3002<\/p>\n\n\n\n<p>\u5118\u7ba1\u6709\u4e9b\u53d7\u5bb3\u7cfb\u7d71\u5df2\u6253\u4e0a\u6700\u65b0\u4fee\u88dc\uff0c\u653b\u64ca\u884c\u70ba\u4ecd\u6210\u529f\uff0c\u5c08\u5bb6\u9ad8\u5ea6\u61f7\u7591\u76ee\u524d\u5b58\u5728\u5c1a\u672a\u516c\u958b\u7684 RFI \u5f31\u9ede\uff0c\u6b63\u5728\u88ab\u9396\u5b9a\u65bc SAP NetWeaver \u516c\u958b\u4f3a\u670d\u5668\u7684\u653b\u64ca\u4e2d\u52a0\u4ee5\u5229\u7528\u3002<\/p>\n\n\n\n<p>\u300c\u6839\u64da\u73fe\u6709\u8b49\u64da\uff0c\u6211\u5011\u6709\u9ad8\u5ea6\u4fe1\u5fc3\u8a8d\u70ba\u6b64\u6b21\u653b\u64ca\u6d89\u53ca\u4e00\u500b\u5c1a\u672a\u63ed\u9732\u7684\u9060\u7aef\u6a94\u6848\u5305\u542b\uff08RFI\uff09\u6f0f\u6d1e\uff0c\u76ee\u524d\u5c1a\u7121\u6cd5\u78ba\u8a8d\u662f\u5426\u53ea\u5f71\u97ff\u7279\u5b9a\u7248\u672c\uff0c\u4f46\u5728\u591a\u8d77\u6848\u4f8b\u4e2d\uff0c\u53d7\u5bb3\u4f3a\u670d\u5668\u90fd\u5df2\u5957\u7528\u6700\u65b0\u4fee\u88dc\u3002\u300d\u5831\u544a\u88dc\u5145\u3002<\/p>\n\n\n\n<p>\u6839\u64da CISA \u6240\u767c\u4f48\u7684\u300a\u4f5c\u696d\u6307\u4ee4 22-01\uff1a\u964d\u4f4e\u5df2\u77e5\u906d\u5229\u7528\u6f0f\u6d1e\u4e4b\u91cd\u5927\u98a8\u96aa\u300b\uff08Binding Operational Directive, BOD 22-01\uff09\uff0c\u6240\u6709 FCEB\uff08\u806f\u90a6\u6c11\u71df\u8207\u884c\u653f\u55ae\u4f4d\uff09\u6a5f\u69cb\u5fc5\u9808\u5728\u6307\u5b9a\u671f\u9650\u524d\u4fee\u88dc\u6b64\u985e\u6f0f\u6d1e\uff0c\u4ee5\u9632\u906d\u53d7\u76f8\u95dc\u653b\u64ca\u3002<\/p>\n\n\n\n<p>\u8cc7\u5b89\u5c08\u5bb6\u4e5f\u5f37\u70c8\u5efa\u8b70\u79c1\u90e8\u9580\u6a5f\u69cb\u5b9a\u671f\u6aa2\u8996 KEV \u6e05\u55ae\uff0c\u8a55\u4f30\u4e26\u4fee\u88dc\u4f01\u696d\u5167\u90e8\u57fa\u790e\u8a2d\u65bd\u4e2d\u53ef\u80fd\u5b58\u5728\u7684\u76f8\u95dc\u6f0f\u6d1e\u3002<\/p>\n\n\n\n<p>CISA \u8981\u6c42\u806f\u90a6\u6a5f\u69cb\u6700\u9072\u9808\u65bc <strong>2025 <\/strong><strong>\u5e74 5 <\/strong><strong>\u6708 20 <\/strong><strong>\u65e5<\/strong> \u524d\u5b8c\u6210\u4fee\u88dc\u4f5c\u696d\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u7f8e\u570b\u7db2\u8def\u5b89\u5168\u66a8\u57fa\u790e\u8a2d\u65bd\u5b89\u5168\u5c40\uff08CISA\uff09\u65e5\u524d\u6b63\u5f0f\u5c07 SAP NetWeaver \u7684\u4e00\u9805\u9ad8\u98a8\u96aa\u6f0f\u6d1e\uff08CVE-20 <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=3686\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174,239],"class_list":["post-3686","post","type-post","status-publish","format-standard","hentry","category-6","tag-news","tag-patch"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3686"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3686\/revisions"}],"predecessor-version":[{"id":3688,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3686\/revisions\/3688"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}