Listen to this Post
Introduction:
SAP, a cornerstone in enterprise resource planning (ERP) systems, is now in the crosshairs of sophisticated cyberattackers. A newly discovered and actively exploited vulnerability, CVE-2025-31324, poses a severe risk to organizations using SAP NetWeaver Visual Composer 7.x. This critical flaw enables unauthenticated remote code execution (RCE) via malicious uploads to a specific endpoint, allowing adversaries to hijack SAP servers entirely. Since the vulnerability’s disclosure, multiple exploitation campaigns have surfaced, with strong indicators pointing to a well-organized Chinese-speaking threat group as the primary culprit. As evidence of active exploitation continues to mount, organizations must act swiftly to secure their SAP environments against this growing threat.
The Ongoing Exploitation of SAP NetWeaver — Key Developments
A critical vulnerability, CVE-2025-31324, has been uncovered in SAP NetWeaver Visual Composer 7.x.
The flaw allows unauthenticated attackers to upload malicious files and remotely execute code on affected servers.
Exploits are being launched through the /developmentserver/metadatauploader endpoint.
The vulnerability enables the deployment of web shells, such as helper.jsp and cache.jsp, and advanced management backdoors like Supershell.
Cybersecurity firm Forescout has traced the exploitation back to a Chinese-speaking threat group, identified as Chaya_004.
Mass scanning activity began on April 29, 2025, shortly after the vulnerability’s public disclosure and inclusion in CISA’s KEV catalog.
Microsoft and Amazon cloud ASNs are being used for both legitimate research and malicious reconnaissance.
Manufacturing industries have been the most targeted, particularly those using Scaleway, Contabo, Nubes, and ECO TRADE hosting services.
Many of the attacking IPs were previously linked to credential-stuffing and brute-force campaigns.
Attackers are leveraging infrastructure hosted on Chinese cloud giants like Alibaba, Tencent, Huawei, and China Unicom.
Researchers found a consistent self-signed certificate profile among over 500 IP addresses used in the campaign.
A wide array of tools was discovered on the attackers’ servers: SoftEther VPN, Cobalt Strike, NPS, ARL, NHAS, Pocassit, and custom Go-based tunnels.
The coordinated and tool-rich approach suggests a well-funded and experienced APT operation.
Lateral movement is a significant risk, potentially affecting core SAP modules like Gateway, Message Server, and HANA databases.
Security analysts observed that some SAP systems crashed during scans, revealing both poor hardening and high exposure.
Immediate actions recommended include patching with April 2025 SAP updates, disabling unnecessary services, and enforcing firewall restrictions.
Monitoring should focus on unusual POST requests and suspicious outbound activity.
Forescout has added indicators of compromise (IoCs) to its threat intelligence suite to aid detection and response.
Organizations are urged to prioritize remediation and adopt proactive threat hunting strategies.
What Undercode Say:
This campaign targeting SAP NetWeaver is emblematic of the evolving threat landscape where critical infrastructure software becomes a frontline target for cyber-espionage and cybercrime. The vulnerability CVE-2025-31324 is a textbook case of how a single overlooked deserialization bug can unravel the security of an entire enterprise network.
One of the most striking aspects of this attack is its immediacy and scale. Exploitation began almost in tandem with the vulnerability’s public disclosure, indicating how rapidly adversaries adapt their toolsets to incorporate new CVEs. This speaks to the professionalism and operational maturity of groups like Chaya_004, likely operating under state sponsorship or with deep experience in stealth and lateral movement.
The use of cloud platforms like Alibaba, Tencent, and Amazon AWS not only provides attackers global reach but also complicates attribution and incident response. Their use of self-signed digital certificates, consistent network patterns, and a large number of reconnaissance tools suggests a campaign built for both stealth and persistence.
More troubling is the post-exploitation potential. Once inside, attackers aren’t just deploying shells—they’re preparing for long-term control, reconnaissance, and potential data exfiltration. Tools like Supershell and Cobalt Strike indicate a pivot toward persistent access and command-and-control infrastructure. The attackers’ use of custom VPNs and bespoke tunneling tools adds layers of obfuscation, which can blind traditional security monitoring.
Organizations running SAP NetWeaver Visual Composer face not just an immediate breach risk but also long-term infiltration. Once lateral movement is achieved, core SAP systems such as HANA databases or Message Servers could be compromised, potentially halting operations, leaking proprietary data, or causing severe compliance violations.
This campaign underlines a fundamental truth: Patch management alone is no longer enough. Active monitoring, behavioral analytics, and aggressive threat hunting are essential. Enterprises must treat SAP components as part of their critical infrastructure and defend them accordingly.
Moreover, the fact that even defensive scans can crash SAP systems suggests that many organizations are running fragile, unpatched, or misconfigured instances, making them easy targets for APT actors. This should be
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
