Chinese Threat Actors Exploit SAP Remote Code Execution Vulnerability CVE-2025-31324, Deploy Golang-Based SuperShell

A China-linked threat actor known as Chaya_004 has been identified exploiting a recently disclosed vulnerability in SAP NetWeaver.

Forescout Vedere Labs reported the discovery of a malicious infrastructure likely associated with this hacking group, which has been weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. This critical vulnerability in SAP NetWeaver enables attackers to achieve remote code execution (RCE) by uploading web shells through a vulnerable endpoint located at “/developmentserver/metadatauploader.”

The vulnerability was initially uncovered by ReliaQuest, which observed it being actively exploited in real-world attacks aimed at deploying web shells and the Brute Ratel C4 post-exploitation framework. These attacks have affected SAP systems across various sectors globally, including energy, utilities, manufacturing, media, entertainment, oil and gas, pharmaceuticals, retail, and governmental organizations.

Onapsis reported that reconnaissance activity targeting this vulnerability was detected as early as January 20, 2025, with successful deployments of web shells observed between March 14 and March 31. Mandiant, a Google-owned incident response firm, confirmed the first known exploitation occurred on March 12, 2025.

Recently, multiple threat actors have begun utilizing this vulnerability to deploy web shells and engage in illicit cryptocurrency mining. This includes Chaya_004, which has been observed hosting a web-based reverse shell—known as SuperShell—on the IP address 47.97.42[.]177. Forescout’s analysis revealed that this IP address hosted several other open ports, including 3232/HTTP, which was utilizing a self-signed certificate impersonating Cloudflare.

Further investigation revealed that the Chaya_004 threat actor is employing various tools within their infrastructure, including NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse, Pocassit, GOSINT, and GO Simple Tunnel. The use of Chinese cloud providers and tools indicates a probable connection to actors operating out of China.

To mitigate the risk of such attacks, it is crucial for users to apply security patches immediately, restrict access to the vulnerable metadata uploader endpoint, disable the Visual Composer service if not in use, and closely monitor for any suspicious activities.

Onapsis CTO Juan Pablo JP Perez-Etchegoyen emphasized that the ongoing activities reported by Forescout are occurring in environments that have recently been patched, which enhances the threat posed not only by opportunistic and less sophisticated actors but also more sophisticated ones that are rapidly adapting to leverage existing compromises.