A China-linked threat actor, identified as Chaya_004, has been observed exploiting a critical vulnerability in SAP NetWeaver. Which was disclosed earlier this year. According to a recent report from Forescout Vedere Labs, the group has been leveraging CVE-2025-31324. A critical flaw with a CVSS score of 10.0, since April 29, 2025, to gain unauthorized access to vulnerable systems.
The vulnerability, CVE-2025-31324, enables remote code execution (RCE) via the /developmentserver/metadatauploader endpoint. Allowing attackers to upload web shells and execute malicious commands. The flaw was first identified by ReliaQuest in late April 2025, when researchers detected its exploitation in real-world attacks. These attacks primarily involved the dropping of web shells and the Brute Ratel C4 post-exploitation framework.
Widespread Exploitation Across Industries
Onapsis, a company specializing in SAP security, reported that hundreds of SAP systems across various industries have fallen victim to this attack. Targeted sectors include energy, utilities, manufacturing, media, pharmaceuticals, retail, and government organizations. The firm also discovered reconnaissance activity as early as January 20, 2025. Where threat actors were probing the vulnerability with specific payloads. The successful deployment of web shells was observed between March 14 and March 31, 2025. With significant exploitation continuing into April.
Mandiant, a Google-owned cybersecurity firm, also confirmed that attacks linked to this vulnerability were active as early as March 12, 2025. Further highlighting the severity of the issue.
The Chaya_004 group is among several threat actors who have rapidly adopted this attack vector. Forescout’s researchers revealed that the group is hosting a web-based reverse shell called SuperShell. Which is written in Golang, on the IP address 47.97.42[.]177. This server also hosts various other tools, such as NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse (ARL), Pocassit, GOSINT, and GO Simple Tunnel, which are commonly used for post-exploitation activities.
Forescout also discovered an anomalous self-signed certificate on the same IP address, impersonating Cloudflare and using port 3232/HTTP. The certificate contained a subject distinguished name (DN) with the properties: Subject DN: C=US, O=Cloudflare, Inc, CN=:3232, which raised suspicions of the server’s authenticity.
Indicators of China-Based Operation
The infrastructure and tools linked to Chaya_004 point to a China-based threat actor. The use of Chinese cloud providers and several Chinese-language tools further strengthens the belief that this group is operating out of China.
Urgent Steps for Mitigation
To mitigate the risk of exploitation, users of SAP NetWeaver are strongly advised to immediately apply patches for CVE-2025-31324. Additionally, it is crucial to restrict access to the vulnerable metadata uploader endpoint and disable the Visual Composer service if not in use. Organizations should also monitor their systems for signs of suspicious activity, especially any attempts to deploy web shells.
Onapsis’ CTO, Juan Pablo JP Perez-Etchegoyen, warned that the activity identified by Forescout is part of post-patch exploitation. This means that while the vulnerability may have been patched, threat actors could leverage existing compromises to expand their access and deploy additional malicious tools.
The continued exploitation of CVE-2025-31324 underscores the growing sophistication of threat actors targeting SAP systems. As more attackers jump on the bandwagon, organizations must prioritize patching vulnerabilities and monitoring for any unusual activity to protect their critical infrastructure from these evolving threats.
