Black Hat Investigation: Attempted Exploitation of Registration Server

Background: The Unique Landscape of the Black Hat NOC

Operating the Black Hat Security and Network Operations Center (NOC) presents a unique set of challenges and expectations. Unlike a typical corporate environment where any hacking activity is immediately deemed malicious, the Black Hat conference is a nexus for cybersecurity research, training, and ethical hacking. Consequently, we anticipate and even expect a significant volume of activity that, in other contexts, would be considered highly suspicious or outright hostile. This includes various forms of scanning, exploitation attempts, and other adversarial simulations, often conducted as part of official trainings or independent research.

Adding to this complexity is the Bring Your Own Device (BYOD) nature of the conference network. Attendees connect a wide array of personal devices, making traditional endpoint telemetry (like EDR solutions) a significant challenge for comprehensive monitoring. As such, our primary focus was on robust network-based telemetry for detection and threat hunting.

Investigation Workflow: A Multi-Tool Approach to Rapid Response

Phase 1: Attack Triage With Cisco XDR

The Cisco XDR analytics incident provided the initial alert and connection flows, giving us immediate visibility into this attempted intrusion activity from an external malicious source to our conference registration server and mapping it to MITRE ATT&CK.

The XDR incident indicated that there was an access attempt of the registration server corresponding to an intrusion relating to "SAP NetWeaver Visual Composer metauploader access attempt". The activity was mapped to MITRE ATT&CK techniques, TA0001: Initial access, T1189: Drive-by Compromise and T1190: Exploit of Public-Facing Application.

Cyber Threat Intelligence

Looking deeper into the alert from Cisco Firepower Management Center (FMC) in XDR, we can see that the attempted intrusion was an access event over port 443. The alert is classified as high priority. The external source IP was classified with a malicious disposition by Cisco XDR Global Threat Intelligence and suspicious by Cisco Talos.

Phase 2: Traffic and Alert Analysis With Cisco Firepower Management Console (FMC)

We utilized Cisco FMC to dive deeper into the associated alert and packet information from the traffic.

Fig. 1: Cisco FMC intrusion alert and traffic analysis

The following details were particularly notable:

• The intrusion alert was classified as high priority and categorized as Attempted Administrator Privilege Gain.
• The traffic was TCP and HTTPS to port 443.
• The request type was an GET request to URI path /developmentserver/metauploader
• The user agent includes zgrab/0.x

Researching more about this user agent, ZGrab, indicated it is used for scanning and penetration testing. ZGrab is part of the wider ZMAP suite of tools. This provided further validation that this was a malicious intrusion attempt against our registration server.

Phase 3: Vulnerability Analysis

We did further research into the alert from FMC and found that it correlated with vulnerability CVE-2025-31324.

This vulnerability is known to be exploited in the wild, as confirmed by CISA and is classified as Critical with a CVSS score of 9.8 by the National Vulnerability Database (NVD). It is also notable that the vulnerability was published very recently on April 4th, 2025.

Potential exploitation of the vulnerability allows an unauthenticated agent to upload arbitrary malicious code to the target system.

Phase 4: Risk Analysis and Mitigation

As a final step we reached out to the Black Hat engineering team to inquire if the registration server was vulnerable to CVE-2025-31324.

Specifically, we inquired:

1. Does the registration server leverage SAP NetWeaver?
2. Does the following resource path exist on the endpoint?

We confirmed that both of these criteria were not met, and hence the Black Hat registration server was not vulnerable to CVE-2025-31324.

Resolution

The investigation for this Cisco XDR incident was closed, as the registration server was not found to be vulnerable to the attempted exploitation. Since the registration website is a critical asset and is public facing, we expect to see scanning activity and malicious access attempts against it. We continued to remain vigilant for the remainder of the conference.

Key Takeaways

1. Rapid, Multi-Tool Investigation Enhances Response
   Using Cisco XDR and Cisco FMC enabled swift detection, detailed analysis, and actionable insights ensuring a well-coordinated and effective response to suspicious activity.
2. Asset Awareness and Stakeholder Engagement Are Critical
   Understanding your environment and confirming technical details with engineering teams prevents false alarms and unnecessary remediation. Engaging stakeholders early ensures accurate risk assessment and efficient resolution.
3. Continuous Vigilance for Critical Public Assets
   Even after ruling out immediate threats or vulnerabilities, ongoing monitoring and investigation are essential to safeguard public-facing, high-value systems against persistent scanning and exploitation attempts.

About Black Hat

Black Hat is the cybersecurity industry's most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X