Chinese Cyber Actors Target SAP NetWeaver Servers in Coordinated Attack

Forescout Vedere Labs security researchers have identified a series of ongoing attacks exploiting a critical vulnerability in SAP NetWeaver servers, attributed to a Chinese threat actor. This unauthenticated file upload vulnerability, tracked as CVE-2025-31324, was addressed by SAP with an emergency patch released on April 24, following its detection by cybersecurity firm ReliaQuest.

The exploitation of this vulnerability allows unauthorized attackers to upload malicious files without authentication, enabling them to execute remote code and potentially compromise entire systems. ReliaQuest’s investigation revealed that multiple organizations had their systems breached via unauthorized file uploads, with attackers deploying JSP web shells and the Brute Ratel red team tool post-exploitation. Notably, the attacked SAP NetWeaver servers had been updated, indicating the use of a zero-day exploit.

This exploitation activity has been corroborated by other cybersecurity entities, including watchTowr and Onapsis, which confirmed the deployment of backdoors on unpatched instances. Mandiant also reported observations of such zero-day attacks as early as mid-March 2025, while Onapsis noted that its honeypot began recording reconnaissance and exploitation attempts from January 20.

The Shadowserver Foundation is currently monitoring 204 SAP NetWeaver servers that remain vulnerable to CVE-2025-31324, which is significant given the critical nature of the detected flaws. The situation is further compounded by assertions from Onyphe’s CTO, hinting that approximately 20 Fortune 500 companies have systems at risk, with many already compromised.

Recent attacks traced to April 29 have been linked back to a Chinese threat actor named Chaya_004, as identified by Forescout Vedere Labs. These attacks originated from IP addresses employing unusual self-signed certificates that mimic Cloudflare, many of which are associated with Chinese cloud services such as Alibaba and Tencent. Tools utilized during these breaches, including a web-based reverse shell known as SuperShell, suggest a strong link to Chinese-language development.

Forescout’s investigation uncovered infrastructure associated with Chaya_004, including server networks hosting Supershell backdoors and other penetration testing tools with known Chinese origins.

SAP administrators are urged to promptly update their NetWeaver systems, limit access to metadata uploader services, monitor for suspicious activities, and consider disabling the Visual Composer service where feasible. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog and has mandated that U.S. federal agencies secure their systems against these vulnerabilities by May 20, as per the requirements set forth in Binding Operational Directive 22-01.

CISA has cautioned that such vulnerabilities frequently serve as attack vectors for malicious cyber actors, posing substantial risks to enterprise security.