China-Linked Advanced Persistent Threats Exploit SAP Vulnerability CVE-2025-31324 to Compromise 581 Critical Systems Globally

A recently identified critical security vulnerability affecting SAP NetWeaver is currently being exploited by various nation-state actors with ties to China, posing a significant threat to essential infrastructure networks.

The vulnerability, tracked as CVE-2025-31324, is an unauthenticated file upload flaw that allows for remote code execution (RCE). Researchers have noted that this exploitation has been actively employed against various critical infrastructures, including natural gas distribution systems, water management facilities, and integrated waste management utilities in the UK, as well as medical device manufacturing plants, oil and gas exploration companies in the United States, and financial-regulatory ministries in Saudi Arabia.

Insights into these operations stem from a recently uncovered publicly exposed directory on compromised infrastructure. This directory contained event logs that captured a range of activities across multiple compromised systems, indicating ongoing malicious activity.

The cybersecurity firm EclecticIQ attributes these intrusions to multiple Chinese threat actor clusters, including UNC5221, UNC5174, and CL-STA-0048. Notably, CL-STA-0048 has been linked to cyber operations against high-value targets in South Asia, utilizing known vulnerabilities in public-facing web servers such as IIS, Apache Tomcat, and MS-SQL to deploy various forms of malware, including web shells and the PlugX backdoor.

Additionally, another unidentified threat actor linked to China is engaged in a widespread scanning and exploitation campaign specifically targeting SAP NetWeaver systems. Evidence from a server located at IP address “15.204.56[.]106” includes files that log compromised instances of SAP NetWeaver and a list of domains running the software. Specifically, one file recorded 581 instances that had been compromised and backdoored using web shells.

The compromised systems exhibit clear signs of targeted operations, such as the deployment of web shells designed to maintain persistent remote access and execute arbitrary commands. Observations indicate that three distinct Chinese hacking groups are leveraging this vulnerability to establish remote access, conduct reconnaissance, and deploy additional malicious software.

Noteworthy actions include:
– CL-STA-0048 attempting to establish a reverse shell to an identified IP address.
– UNC5221 using web shells to deploy KrustyLoader, a malware that facilitates second-stage payload delivery and command execution.
– UNC5174 utilizing a web shell to download SNOWLIGHT, which fetches a Go-based remote access trojan and a known backdoor.

Experts warn that Chinese APTs are highly likely to persist in targeting widely used enterprise applications and edge devices to secure long-term access to critical infrastructure networks globally.

The urgency of this situation has been underscored by a new report detailing that a separate Chinese threat actor, referred to as Chaya_004, has also exploited CVE-2025-31324 to deploy a Go-based reverse shell known as SuperShell.

As context, SAP’s security firm Onapsis recent findings indicate an uptick in activity from attackers exploiting public information to trigger further exploitation and leverage web shells that have been set up by the initial attackers, who have since ceased activity.

Further analysis has revealed another serious vulnerability within NetWeaver’s Visual Composer Metadata Uploader component, designated as CVE-2025-42999, characterized by a CVSS score of 9.1. This deserialization vulnerability presents an attack opportunity for privileged users, facilitating the upload of untrusted or malicious content.

Given the continued risk of exploitation, SAP NetWeaver customers are strongly advised to update their systems to the latest version promptly, thereby mitigating potential security threats.