Security researchers have linked ongoing attacks exploiting a severe vulnerability in SAP NetWeaver to a Chinese threat actor. The vulnerability allows remote code execution through unauthenticated file uploads, leading to potential system compromise. (Affected: SAP NetWeaver instances)
Keypoints :
- The CVE-2025-31324 vulnerability in SAP NetWeaver Visual Composer was patched by SAP on April 24 via an emergency update.
- Attackers can exploit this flaw to upload malicious files, such as JSP web shells and penetration testing tools, without authentication.
- Multiple cybersecurity firms, including ReliaQuest, Onapsis, and Mandiant, confirmed active exploitation and breaches using zero-day attacks since mid-March 2025.
- The attacks involve uploading backdoors onto exposed, unpatched SAP servers, with a significant number of systems currently vulnerable or already compromised.
- Recent activity has been linked to a Chinese threat actor, tracked as Chaya_004, operating from Chinese cloud providers and using Chinese-language tools.
- The infrastructure associated with these attacks includes servers hosting Chinese-developed tools like SuperShell reverse shells and custom penetration testing utilities.
- Organizations are advised to immediately patch SAP NetWeaver, restrict access, monitor server activity, and disable Visual Composer if possible to mitigate risks.