A China-linked threat actor named Chaya_004 has been actively exploiting a critical SAP NetWeaver vulnerability, CVE-2025-31324, to deploy web shells and conduct malicious activities. This exploitation has compromised hundreds of SAP systems globally across various industries since March 2025. (Affected: SAP NetWeaver systems)
Keypoints :
- The vulnerability CVE-2025-31324 in SAP NetWeaver allows remote code execution via the β/developmentserver/metadatauploaderβ endpoint.
- Threat actors, including Chaya_004, have been weaponizing this flaw since April 2025 to deploy web shells and other malicious tools.
- Multiple organizations worldwide across energy, manufacturing, media, oil, pharmaceuticals, retail, and government sectors have been targeted.
- Reconnaissance activities and successful web shell deployments were detected as early as March 2025, with exploitation occurring on March 12, 2025.
- Chaya_004 hosts tools such as SuperShell, Golan-based reverse shells, and uses Chinese cloud providers, indicating a likely Chinese origin.
- The threat actor employs various hacking tools and infrastructure, including Cobalt Strike, SoftEther VPN, and reconnaissance frameworks.
- Experts recommend promptly applying patches, restricting access to vulnerable endpoints, disabling unused services, and monitoring for suspicious activities to mitigate threats.
Read More: https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html