Chinese hackers tiresome attacks focusing on SAP NetWeaver servers
Private investigator
Forescout Vedere Labs security researchers have linked ongoing attacks focusing on a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
SAP launched an out-of-band emergency patch on April 24 to handle this unauthenticated file upload security flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer, days after cybersecurity company ReliaQuest first detected the vulnerability being focused in attacks.
A hit exploitation enables unauthenticated attackers to upload malicious recordsdata with out logging in, allowing them to originate far away code execution and doubtlessly main to complete gadget compromise.
ReliaQuest reported that a pair of customers’ programs had been breached through unauthorized file uploads on SAP NetWeaver, with the threat actors uploading JSP web shells to public directories, as successfully as the Brute Ratel red team tool within the submit-exploitation segment of their attacks. The compromised SAP NetWeaver servers had been absolutely patched, indicating that the attackers inclined a 0-day exploit.
This exploitation exercise became once also confirmed by other cybersecurity corporations, including watchTowr and Onapsis, who also confirmed the attackers had been uploading web shell backdoors on unpatched instances exposed online.
Mandiant also seen CVE-2025-31324 zero-day attacks dating abet to on the least mid-March 2025, while Onapsis updated its long-established document to hiss its honeypot first captured reconnaissance exercise and payload sorting out since January 20, with exploitation attempts initiating on February 10.
Onyphe CTO Patrice Auffret also told BleepingComputer in slack April that “Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised,” including that on the time, there had been 1,284 inclined instances exposed online, 474 of which had been already compromised.
Vulnerable SAP NetWeaver instances exposed online (Shadowserver Foundation)
Private investigator Attacks linked to Chinese hackers
More most recent attacks on April 29 had been linked to a Chinese threat actor tracked by Forescout’s Vedere Labs as Chaya_004.
These attacks had been launched from IP addresses the employ of anomalous self-signed certificates impersonating Cloudflare, many of them belonging to Chinese cloud suppliers (e.g., Alibaba, Shenzhen Tencent, Huawei Cloud Provider, and China Unicom).
The attacker also deployed Chinese-language tools at some level of the breaches, including an online-based fully mostly reverse shell (SuperShell) developed by a Chinese-speaking developer.
“As part of our investigation into active exploitation of this vulnerability, we uncovered malicious infrastructure likely belonging to a Chinese threat actor, which we are currently tracking as Chaya_004 – following our convention for unnamed threat actors,” Forescout stated.
“The infrastructure includes a network of servers hosting Supershell backdoors, often deployed on Chinese cloud providers, and various pen testing tools, many of Chinese origin.”
SAP admins are advised to correct away patch their NetWeaver instances, limit salvage admission to to metadata uploader products and providers, video display for suspicious exercise on their servers, and wait on in mind disabling the Visual Composer provider if that it’s good to well perhaps factor in.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
