A critical security vulnerability in SAP NetWeaver, CVE-2025-31324, is being actively exploited by Chinese threat actors to compromise and maintain persistent access to critical infrastructure systems worldwide. These attackers are leveraging web shells and malware to target networks in various sectors, including energy, water, healthcare, and government.
Affected: SAP NetWeaver systems, critical infrastructure networks
Affected: SAP NetWeaver systems, critical infrastructure networks
Keypoints
- The CVE-2025-31324 vulnerability allows unauthenticated remote code execution via file upload, leading to system compromise.
- Multiple Chinese threat groups, including UNC5221, UNC5174, and CL-STA-0048, are exploiting this flaw to deploy web shells, malware, and backdoors.
- Attackers have compromised at least 581 SAP NetWeaver instances and are monitoring numerous targeted domains for future exploitation.
- The campaigns include deploying key malware such as KrustyLoader, SNOWLIGHT, VShell, and GOREVERSE, to establish long-term access and conduct reconnaissance.
- Exploited servers often host publicly accessible directories that reveal attack activities and potential future targets.
- A new flaw in SAP NetWeaverβs Visual Composer Metadata Uploader, CVE-2025-42999, with a high severity score, has also been identified for potential exploitation.
- SAP recommends immediate updates to the latest version to mitigate ongoing active exploitation of these vulnerabilities.
Read More: https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html