CVE-2025-31324 is a critical deserialization vulnerability in SAP NetWeaver Visual Composer 7.x that enables attackers to upload malicious web shells and execute remote code, leading to full system compromise. Active exploitation has been linked to a Chinese threat actor tracked as Chaya004, targeting vulnerable SAP environments and leveraging a network of malicious infrastructure. #SAPNetWeaver #VisualComposer #Chaya004
Keypoints
- CVE-2025-31324 allows attackers to upload web shells via the /developmentserver/metadatauploader endpoint in SAP NetWeaver Visual Composer, enabling remote code execution.
- Exploitation has caused scans and attempts since at least April 29, 2025, including observed active scans on Forescout’s Adversary Engagement Environment (AEE).
- A Chinese-speaking threat actor, named Chaya_004, is strongly linked to the campaign, operating through infrastructure hosted mainly on Chinese cloud providers.
- Chaya_004’s infrastructure hosts SuperShell backdoors, multiple penetration testing tools, and uses unique SSL certificates impersonating Cloudflare on port 3232.
- Exploitation impacts include service disruption, information leakage, credential theft, lateral movement within SAP systems, and regulatory non-compliance risks.
- Forescout recommends immediate patching, restricting endpoint access, disabling unused services, monitoring anomalies, and ongoing security assessments to mitigate the threat.
- Forescout deployed multilayered detection and response capabilities across OT/eyeInspect, eyeFocus, and eyeAlert platforms to help defend against CVE-2025-31324 exploitation attempts.
MITRE Techniques
- [T1071] Application Layer Protocol – Attackers used POST requests targeting vulnerable SAP endpoints for web shell uploads (‘POST requests targeting the /developmentserver/metadatauploader endpoint’).
- [T1105] Ingress Tool Transfer – Use of curl commands to download further malicious payloads from external infrastructure (‘Use of curl to download further malicious payloads from external infrastructure’).
- [T1210] Exploitation for Defense Evasion – Deployment of web shells like helper.jsp and randomized JSP filenames to maintain persistence (‘Deployment of web shells, including files named helper.jsp, cache.jsp, and others with randomized 8-letter names’).
- [T1098] Account Manipulation – Potential credential interception and harvesting through manipulated SAP service endpoints (‘Manipulated service endpoints may be used to harvest user credentials or inject malicious content’).
- [T1021] Remote Services – Lateral movement within SAP components such as Gateway, Message Server, or HANA database (‘From Visual Composer, attackers can pivot toward more critical SAP components’).
Indicators of Compromise
- [IP Addresses] Scanning and exploitation activity – 130.131.160[.]24, 35.119.17[.]221, 13.228.100[.]218, 163.172.146[.]243, 47.97.42[.]177 (SuperShell host), 49.232.93[.]226 (malware distribution node), 8.210.65[.]56 (penetration testing platform).
- [Domains] Command and control infrastructure – search-email[.]com (used for C2 communication).
- [File Hashes] Malicious binaries involved in the campaign – config ELF binary: 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef; svchosts.exe malware: f1e505fe96b8f83c84a20995e992b3794b1882df4954406e227bd7b75f13c779.
- [Certificates] Unusual self-signed SSL certificate – Subject DN: C=US, O=Cloudflare, Inc, CN=:3232, used by Chaya_004 infrastructure servers.
- [File Names] Web shell payloads – helper.jsp, cache.jsp, and randomized 8-letter names like ssonkfrd.jsp.
Views: 34