Ethical Hacking News
Chinese hackers have been exploiting a recently disclosed security flaw in SAP NetWeaver, leaving hundreds of global systems vulnerable to attacks. The vulnerability, identified as CVE-2025-31324, allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint.
Hundreds of global systems have been left vulnerable to attacks due to a recently disclosed security flaw in SAP NetWeaver. The vulnerability, CVE-2025-31324, allows attackers to achieve remote code execution by uploading web shells through a susceptible endpoint. Threat actor Chaya_004 has been observed weaponizing the vulnerability since April 29, 2025, targeting industries and geographies worldwide. Hundreds of systems have fallen victim to attacks between March 14 and March 31, including energy, manufacturing, media, oil, gas, pharmaceuticals, retail, and government organizations. The threat actor has hosted a web-based reverse shell on an IP address, indicating a sophisticated attack campaign. To defend against these attacks, users must apply patches as soon as possible, restrict access to the metadata uploader endpoint, and monitor for suspicious activity.
Chinese hackers have been exploiting a recently disclosed security flaw in SAP NetWeaver, leaving hundreds of global systems vulnerable to attacks. The vulnerability, identified as CVE-2025-31324, allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint. This critical flaw has been targeted by an unnamed threat actor dubbed Chaya_004, which has been observed weaponizing the vulnerability since April 29, 2025.
The SAP security firm Onapsis reported that hundreds of systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations. Successful compromises in deploying web shells were observed between March 14 and March 31.
The threat actor, Chaya_004, has hosted a web-based reverse shell written in Golang called SuperShell on the IP address 47.97.42[.]177. Forescout Vedere Labs extracted the IP address from an ELF binary named config that was put to use in the attack. The operational technology (OT) security company said it identified several other open ports, including 3232/HTTP using an anomalous self-signed certificate impersonating Cloudflare.
The threat actor's tactics, techniques, and procedures (TTPs) suggest a sophisticated attack campaign that involves leveraging the existing compromises to further expand the threat. According to Onapsis CTO Juan Pablo JP Perez-Etchegoyen, "the activity highlighted by Forescout is post-patch, and that it will further expand the threat of leveraging deployed web shells not only to opportunistic (and potentially less sophisticated) threat actors, but also more advanced ones seem to have been rapidly reacting to this issue to leverage the existing compromises and further expand."
To defend against these attacks, it is essential that users apply the patches as soon as possible, if not already. Additionally, restricting access to the metadata uploader endpoint, disabling the Visual Composer service if not in use, and monitoring for suspicious activity are crucial measures to prevent successful exploitation.
Furthermore, the use of Chinese cloud providers and several Chinese-language tools points to a threat actor likely based in China. The researchers added that "the use of such tools and infrastructure suggests a sophisticated attack campaign that is not limited to opportunistic threat actors."
The recent discovery of this vulnerability highlights the importance of staying vigilant in the face of emerging threats. As Onapsis noted, "it's essential that users stay informed about the latest security updates and patches to protect themselves against these types of attacks." In light of this new threat, cybersecurity experts emphasize the need for increased vigilance and proactive measures to prevent successful exploitation.
In conclusion, the recent discovery of the SAP NetWeaver vulnerability highlights a critical flaw in global systems that has been exploited by Chinese hackers. As the threat actor's tactics and techniques continue to evolve, it is essential that users remain informed about the latest security updates and patches to protect themselves against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Threat-Lurks-in-the-Shadows-Chinese-Hackers-Leverage-SAP-RCE-Flaw-to-Deploy-Sophisticated-Malware-ehn.shtml
https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
https://www.cvedetails.com/cve/CVE-2025-31324/
Published: Fri May 9 00:21:28 2025 by llama3.2 3B Q4_K_M
