Ethical Hacking News
Chinese hackers behind attacks targeting SAP NetWeaver servers have left a trail of destruction by exploiting a critical vulnerability in the software to gain unauthorized access to sensitive systems. With over 200 exposed SAP NetWeaver servers vulnerable to these attacks, it is crucial for SAP administrators to take immediate action and patch their systems before it's too late.
SAP NetWeaver servers have been targeted by Chinese hackers exploiting a critical vulnerability (CVE-2025-31324) in the software. The attacks began after SAP released an emergency patch for its NetWeaver Visual Composer software on April 24. Attackers used zero-day exploits to breach systems, leaving few signs of their presence and exploiting web shell backdoors on unpatched instances. A total of 204 SAP NetWeaver servers were found exposed online and vulnerable to the attack. The attacks are attributed to a Chinese threat actor, tracked as Chaya_004, who used anomalous self-signed certificates and deployed Chinese-language tools. SAP administrators are advised to patch their instances, restrict access, monitor for suspicious activity, and consider disabling the Visual Composer service.
Chinese hackers behind attacks targeting SAP NetWeaver servers have left a trail of destruction, exploiting a critical vulnerability in the software to gain unauthorized access to sensitive systems. In recent weeks, numerous reports have surfaced about malicious actors launching attacks against unsuspecting SAP customers, leaving many wondering how such a sophisticated operation could go undetected for so long.
The attacks began on April 24, when SAP released an emergency patch for its NetWeaver Visual Composer software, addressing a critical unauthenticated file upload security flaw (tracked as CVE-2025-31324). This vulnerability allows attackers to exploit the system without logging in, ultimately gaining remote code execution and potentially leading to complete system compromise. Despite the urgency of this warning, multiple customers' systems were breached through unauthorized file uploads on SAP NetWeaver servers, with threat actors uploading JSP web shells to public directories and the Brute Ratel red team tool in the post-exploitation phase of their attacks.
The compromised SAP NetWeaver servers were fully patched, but it appears that attackers had already established a foothold before this. According to cybersecurity firm watchTowr, attackers used a zero-day exploit to breach these systems, leaving few signs of their presence. Other firms, including Onapsis and Mandiant, also confirmed the attackers' use of web shell backdoors on unpatched instances exposed online.
According to Shadowserver Foundation, 204 SAP NetWeaver servers were found exposed online and vulnerable to CVE-2025-31324 attacks. This staggering number highlights the severity of this vulnerability and the ease with which it can be exploited by malicious actors. Furthermore, Onapsis reported that its honeypot captured reconnaissance activity and payload testing since January 20, with exploitation attempts starting on February 10.
The attacks attributed to a Chinese threat actor, tracked as Chaya_004, have gained attention in recent days. Using anomalous self-signed certificates impersonating Cloudflare, many of the attackers' IP addresses belonged to Chinese cloud providers such as Alibaba, Shenzhen Tencent, Huawei Cloud Service, and China Unicom. The attacker also deployed Chinese-language tools during the breaches, including a web-based reverse shell known as SuperShell developed by a Chinese-speaking developer.
As Forescout's Vedere Labs security researchers noted, "As part of our investigation into active exploitation of this vulnerability, we uncovered malicious infrastructure likely belonging to a Chinese threat actor, which we are currently tracking as Chaya_004 – following our convention for unnamed threat actors." The infrastructure includes a network of servers hosting Supershell backdoors often deployed on Chinese cloud providers and various pen testing tools, many of which have Chinese origins.
Given the severity of this vulnerability, SAP administrators are advised to take immediate action. This includes patching their NetWeaver instances, restricting access to metadata uploader services, monitoring for suspicious activity on their servers, and considering disabling the Visual Composer service if possible.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2025-31324 security flaw to its Known Exploited Vulnerabilities Catalog. As such, U.S. federal agencies are required to secure their systems against these attacks by May 20, as per Binding Operational Directive (BOD) 22-01. CISA warned that vulnerabilities like this "are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."
In light of these alarming events, it is essential for SAP customers to take proactive measures to protect themselves from such attacks. By staying informed about the latest security threats and patching their systems promptly, they can significantly reduce the risk of falling victim to these types of exploits.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-Hackers-Unleash-Reckless-Attacks-on-SAP-NetWeaver-Servers-ehn.shtml
Published: Fri May 9 11:47:05 2025 by llama3.2 3B Q4_K_M
