The recently disclosed critical security flaws affecting SAP NetWeaver are being leveraged by multiple China-Nexus Nation-State Actors and target critical infrastructure networks.
“The actor leveraged CVE-2025-31324, an unauthorized file upload vulnerability that allows remote code execution (RCE).”
The campaign’s goals include the UK’s natural gas distribution network, water and integrated waste management utilities, medical device manufacturing plants for US oil and gas exploration and production companies, and Saudi Arabia’s government ministries responsible for investment strategies and financial regulations.
The findings are based on public directories revealed in the attacker-controlled infrastructure (15.204.56[.]106″) Contains event logs to capture activity on multiple compromised systems.
Dutch cybersecurity firms attribute the intrusion to a cluster of threat activity in China, tracked as UNC5221, UNC5174 and CL-STA-0048. The last one was related to attacks targeting high-value targets in South Asia by eliminating known vulnerabilities in the reverse ser of Public IIS, Apache Tomcat, and MS-SQLES.
He also noted that unclassified China-Nexus threat actors are running extensive internet scans and exploitation campaigns against the SAP NetWeaver system. Server hosted with IP address “15.204.56”[.]106″ – It is known to contain multiple files containing –
“CVE-2025-31324-results.txt” was compromised in the web shell “_20250427_212229.txt” which recorded a 581 SAP NetWeaver instance and recorded the background.
“The exposed open deal infrastructure reveals confirmed violations, highlights the group’s planned targets and provides clear insight into both past and future operations,” Büyükkaya said.
Exploitation of CVE-2025-31324 is followed by threat actors deploying two web shells designed to maintain permanent remote access to the infected system and execute any command.
Additionally, three different Chinese hacking groups have been observed exploiting vulnerabilities in SAP NetWeaver as part of their efforts to maintain remote access, conduct reconnaissance and drop malicious programs.
CL-STA-0048 attempted to establish an interactive reverse shell at 43.247.135[.]53, “The IP address previously identified as being used by threat actor UNC5221. This is the IP address used by threat actors that leveraged the web shell to deploy KrustyLoader, a rusty malware that can be used to provide two-stage payloads such as Sliver. It was named backdoor known as vshell and goreverse.
“China-related APTs are likely to target enterprise applications and edge devices exposed to the internet to establish long-term strategic and sustainable access to critical infrastructure networks around the world,” Büyükkaya said.
“Focusing on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities.”
SAP Patches New NetWeaver Faults with May 2025 Patch
This disclosure comes days after another China-linked, unnamed threat actor called Chaya_004 deployed a GO-based reverse shell called Supershell, due to the exploitation of CVE-2025-31324.
SAP security company Onapsis said “we are seeing important activities from attackers who are now dark, using public information to trigger and abuse exploitation and abuse.”
Further analysis of these attacks has discovered another serious flaw in NetWeaver’s Visual Composer Metadata Uploader component. It is tracked as CVE-2025-42999 (CVSS score: 9.1), and is described as a desertion vulnerability that can be exploited by privileged users to upload unreliable or malicious content.
In light of ongoing active exploitation, SAP NetWeaver customers are encouraged to update their instances to the latest version as soon as possible.
Source link
