Ethical Hacking News
A new vulnerability in SAP NetWeaver has been discovered, exposing over 581 critical systems to attacks by Chinese hackers. The vulnerability, tracked as CVE-2025-31324, is an unauthenticated file upload vulnerability that enables remote code execution (RCE). This attack highlights the growing threat posed by nation-state actors who are increasingly using sophisticated tactics to gain access to critical infrastructure networks.
SAP NetWeaver has been exposed to a critical vulnerability (CVE-2025-31324) that enables remote code execution, allowing Chinese hackers to breach systems. A new Chinese threat actor has been spotted using the same vulnerability to breach SAP NetWeaver systems, exposing over 581 instances. Three Chinese hacking groups (CL-STA-0048, UNC5221, and UNC5174) have also exploited this vulnerability for malicious activities. The exploitation of this vulnerability poses a significant risk to critical infrastructure networks, including natural gas distribution networks and government ministries. SAP security firm Onapsis recommends that customers update their instances to the latest version as soon as possible to patch this vulnerability.
Cybersecurity experts have sounded the alarm on a newly discovered vulnerability in SAP NetWeaver, a widely used enterprise software solution, that has exposed over 581 critical systems to attacks by Chinese hackers. The vulnerability, tracked as CVE-2025-31324, is an unauthenticated file upload vulnerability that enables remote code execution (RCE), making it a serious security risk for organizations that rely on SAP NetWeaver for their operations.
The discovery of this vulnerability was made possible by EclecticIQ researcher Arda Büyükkaya, who analyzed the activities of Chinese threat activity clusters tracked as UNC5221, UNC5174, and CL-STA-0048. These groups have been linked to attacks targeting high-value targets in South Asia by exploiting known vulnerabilities in public-facing IIS, Apache Tomcat, and MS-SQL servers to drop web shells, reverse shells, and the PlugX backdoor.
However, it is not just these groups that are taking advantage of this vulnerability. A new Chinese threat actor has also been spotted using the same vulnerability to breach SAP NetWeaver systems. The server hosted at the IP address "15.204.56[.]106" contains multiple files, including - "CVE-2025-31324-results.txt," which records 581 SAP NetWeaver instances compromised and backdoored with a web shell.
This exposed open-dir infrastructure reveals confirmed breaches and highlights the group's planned targets, offering clear insight into both past and future operations. The exploitation of CVE-2025-31324 is followed by the threat actor deploying two web shells that are designed to maintain persistent remote access to the infected systems and execute arbitrary commands.
In addition, three different Chinese hacking groups have been observed exploiting this vulnerability as part of efforts to maintain remote access, conduct reconnaissance, and drop malicious programs. These include CL-STA-0048, UNC5221, and UNC5174.
CL-STA-0048 has attempted to establish an interactive reverse shell to "43.247.135[.]53," an IP address previously identified as used by the threat actor. UNC5221 has leveraged a web shell to deploy KrustyLoader, a Rust-based malware that can be used to serve second-stage payloads like Sliver, set up persistence, and execute shell commands.
UNC5174 has also leveraged a web shell to download SNOWLIGHT, a loader that initiates a connection with a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE.
The attack is significant because SAP NetWeaver is widely used in critical infrastructure networks such as natural gas distribution networks, water and integrated waste management utilities, medical device manufacturing plants oil and gas exploration and production companies, and government ministries that are responsible for investment strategy and financial regulation.
As a result of this vulnerability, SAP security firm Onapsis has recommended that customers of SAP NetWeaver update their instances to the latest version as soon as possible. The Dutch cybersecurity company has also attributed the intrusions to Chinese threat activity clusters tracked as UNC5221, UNC5174, and CL-STA-0048, which have been linked to attacks targeting high-value targets in South Asia.
The exploitation of this vulnerability is a stark reminder of the growing threat posed by nation-state actors who are increasingly using sophisticated tactics such as zero-day exploits and targeted attacks to gain access to critical infrastructure networks. It also highlights the importance of keeping software up-to-date and using robust security measures to prevent unauthorized access to sensitive systems.
In conclusion, the newly discovered SAP NetWeaver vulnerability is a serious security risk that has exposed over 581 critical systems to attacks by Chinese hackers. Organizations that rely on SAP NetWeaver for their operations must take immediate action to update their instances and patch this vulnerability to prevent further breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/Newly-Discovered-SAP-NetWeaver-Vulnerability-Exposes-581-Critical-Systems-to-Chinese-Hackers-ehn.shtml
https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html
https://securityboulevard.com/2025/05/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures/
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
https://www.cvedetails.com/cve/CVE-2025-31324/
Published: Tue May 13 12:22:26 2025 by llama3.2 3B Q4_K_M
