China-Linked Hackers Exploit Critical SAP NetWeaver Vulnerability to Target Infrastructure
A newly revealed critical vulnerability in SAP NetWeaver, tracked as CVE-2025-31324, is being actively exploited by several China-affiliated nation-state threat actors to compromise critical infrastructure systems.
According to EclecticIQ researcher Arda Büyükkaya, the flaw is an unauthenticated file upload vulnerability that allows for remote code execution (RCE). Exploitation of this flaw has been observed in attacks on natural gas and water utilities in the UK, medical device and oil & gas companies in the US, and government ministries in Saudi Arabia focused on investment and financial oversight.
The findings stem from an exposed directory on an attacker-controlled server (IP: 15.204.56[.]106), which included logs of activity across compromised systems. Among the files found were:
- "CVE-2025-31324-results.txt" listing 581 backdoored SAP NetWeaver instances.
- "服务数据_20250427_212229.txt" referencing 800 domains likely queued for future attacks.
Dutch cybersecurity firm EclecticIQ attributes these operations to UNC5221, UNC5174, CL-STA-0048, and another unidentified China-nexus group conducting widespread scans and exploits. CL-STA-0048, in particular, has been linked to attacks leveraging public-facing IIS, Apache Tomcat, and MS-SQL servers to deploy web and reverse shells, as well as the PlugX backdoor.
Once access is gained through CVE-2025-31324, attackers deploy two web shells to maintain persistent control and execute commands on compromised systems. Notably:
CL-STA-0048 attempted to establish a reverse shell to 43.247.135[.]53.
UNC5221 deployed KrustyLoader, a Rust-based tool for loading second-stage payloads like Sliver.
UNC5174 used a web shell to download SNOWLIGHT, a loader that fetches VShell (a Go-based remote access trojan) and the GOREVERSE backdoor.
“These campaigns show a deliberate strategy by Chinese APTs to exploit widely used, vulnerable platforms like SAP NetWeaver in order to gain long-term access to global infrastructure networks,” Büyükkaya said.
SAP Responds with Critical Patches
In response, SAP released fixes for NetWeaver in its May 2025 security updates. A separate China-affiliated group, Chaya_004, was also observed exploiting CVE-2025-31324 to deploy a Go-based reverse shell known as SuperShell, according to SAP security firm Onapsis. They warn that attackers are now using publicly available information to hijack web shells placed by the original actors, who have since gone silent.
Further investigation revealed another severe flaw, CVE-2025-42999 (CVSS score: 9.1), in the Visual Composer Metadata Uploader component. This deserialization vulnerability can be exploited by privileged users to upload malicious files.
Security Recommendation:
Given the active exploitation, SAP NetWeaver customers are strongly advised to update to the latest version immediately to mitigate these risks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
