Listen to this Post
Introduction
A newly discovered and actively exploited critical vulnerability in SAP NetWeaver has opened the door for sophisticated cyberattacks targeting vital infrastructure across the globe. This threat, primarily driven by China-linked nation-state actors, has already impacted systems in the UK, US, and Saudi Arabia. The flaw, known as CVE-2025-31324, enables remote code execution through unauthenticated file uploads—making it a high-value exploit for persistent and stealthy intrusion. With SAP systems deeply embedded in enterprise IT environments, this vulnerability puts essential services at serious risk if not patched immediately.
the Original Report
EclecticIQ researcher Arda Büyükkaya revealed that Chinese state-sponsored threat actors are exploiting CVE-2025-31324, a remote code execution vulnerability in SAP NetWeaver. This flaw allows attackers to upload files without authentication, leading to the deployment of malicious web shells.
Affected sectors include:
Natural gas distribution in the UK
Water and waste management utilities
US-based medical device manufacturers and oil & gas firms
Financial and investment ministries in Saudi Arabia
The campaign was uncovered after analyzing logs on attacker-controlled infrastructure (IP: 15.204.56[.]106), showing a massive compromise across SAP instances. Evidence revealed 581 backdoored SAP systems and a hitlist of 800 domains running SAP NetWeaver.
Attribution points to three Chinese APT groups:
UNC5221: Deployed KrustyLoader, a Rust-based loader for advanced payloads
UNC5174: Used SNOWLIGHT to deliver VShell and GOREVERSE
CL-STA-0048: Established interactive shells linked to previously known threat IPs
These groups used public-facing SAP systems as entry points and placed multiple persistent shells to maintain long-term access and control.
Further investigation uncovered an additional vulnerability, CVE-2025-42999, in the Visual Composer Metadata Uploader—a deserialization flaw rated 9.1 CVSS. SAP responded with emergency patches in its May 2025 security update.
Onapsis, a SAP-focused security firm, confirms that multiple actors are now abusing these web shells, even after the original attackers have gone dark. They urge urgent patching of affected systems.
What Undercode Say:
This exploit campaign shows once again how unpatched enterprise software remains a goldmine for cyber espionage and sabotage operations. SAP NetWeaver, being integral to thousands of global corporations and government systems, presents an irresistible target for persistent threat actors.
What stands out in this case is the strategic targeting of critical infrastructure—a hallmark of nation-state operations. By compromising platforms used in energy, healthcare, and finance, attackers are not just after data—they aim for long-term access to sensitive ecosystems that could be leveraged in future geopolitical conflict or economic disruption.
The method of exploitation highlights a critical weakness in security hygiene: public exposure of essential enterprise apps. SAP NetWeaver, though powerful, becomes a liability when left exposed to the internet without proper hardening.
Interestingly, all three identified APT groups use custom-developed malware tailored for persistence and stealth. These are not smash-and-grab campaigns—they are designed for quiet infiltration, with the attackers maintaining access and even preparing for future operations by scanning additional targets.
It’s worth noting that after initial exploitation, other cybercriminals have joined the fray, weaponizing already-placed web shells. This demonstrates the secondary threat lifecycle: initial nation-state actors compromise a system, and then others exploit their leftover tools.
For enterprises, the warning is clear—patch immediately and audit your SAP systems. For governments, this is a red alert that Chinese APTs continue to map and penetrate critical digital infrastructure as part of long-term strategic cyber operations.
🕵️♂️ Fact Checker Results
✅ CVE-2025-31324 is real and publicly disclosed, with a confirmed working RCE exploit
✅ Targeted sectors match previous Chinese APT tactics seen in geopolitical cyber operations
✅ Multiple malware families (KrustyLoader, SNOWLIGHT, SuperShell) are actively deployed as part of the attacks
🔮 Prediction
Expect a surge in SAP NetWeaver-focused attacks in the coming months, particularly from cybercriminal groups now piggybacking off nation-state exploits. Critical infrastructure in other regions—especially Southeast Asia, Latin America, and Africa—may be next. Organizations slow to patch will become soft targets. The next evolution will likely involve the chaining of SAP exploits with vulnerabilities in third-party middleware, escalating privileges and expanding the attack surface.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
