CVE-2025-31324 Vulnerability

Security researchers have linked a China-affiliated threat actor, dubbed Chaya_004, to the exploitation of a critical SAP NetWeaver vulnerability identified as CVE-2025-31324. Carrying the highest CVSS score of 10.0, this flaw permits attackers to achieve remote code execution (RCE) by uploading threatening Web shells via the vulnerable /developmentserver/metadatauploader endpoint.

This vulnerability first gained attention in late April 2025, when infosec teams discovered it being actively exploited in the wild. Attackers have been using it to deploy web shells and post-exploitation tools like Brute Ratel C4.

The Fallout: Industries in the Crosshairs

Since March 2025, this vulnerability has been widely abused across various industries and geographies. Initial exploitation is believed to have occurred as early as March 12, with confirmed successful intrusions taking place between March 14 and March 31.

The compromised sectors include:

• Energy and utilities
• Manufacturing
• Media and entertainment
• Oil and gas
• Pharmaceuticals
• Retail and government organizations

These widespread attacks point to a global campaign, potentially affecting hundreds of SAP systems.

Inside the Harmful Infrastructure

Threat actor Chaya_004 has been at the forefront of these campaigns, hosting a Web-based reverse shell called SuperShell on IP address 47.97.42[.]177. This infrastructure also revealed other suspicious elements:

• Port 3232/HTTP, serving a self-signed certificate mimicking Cloudflare
• Multiple Chinese-language tools and services hosted through Chinese cloud providers

Malware tools associated with the group include:

• NPS (Network Policy Server): This tool is often used to manage network access policies. Attackers can exploit it to manipulate network traffic, potentially enabling unauthorized access or disrupting communication.
• SoftEther VPN: A versatile, open-source VPN software that can be misused by attackers to bypass network security and establish encrypted connections to remote systems, aiding in stealthy data exfiltration or lateral movement within compromised networks.
• Cobalt Strike: A widely known post-exploitation tool used for advanced persistent threats. It allows attackers to simulate real-world cyberattacks, giving them the ability to control and exploit compromised machines covertly.
• Asset Reconnaissance Lighthouse (ARL): A reconnaissance tool that helps attackers map out network assets, identify vulnerabilities, and gain insights into potential targets within a network, aiding in more effective and focused attacks.
• Pocassist: A tool designed to assist in the creation and exploitation of proof-of-concept (PoC) exploits, helping attackers automate the process of testing vulnerabilities and executing targeted exploits.
• GOSINT: A tool used for open-source intelligence (OSINT) gathering, which helps attackers collect publicly available information to aid in reconnaissance, such as employee data, network details, or other sensitive information that can be leveraged in attacks.
• GO Simple Tunnel: A simple tunneling tool used by attackers to bypass firewalls and other network security measures, creating encrypted tunnels that can be used to move traffic undetected or access restricted systems.
• GO Simple Tunnel

This sophisticated toolkit, coupled with the use of Chinese infrastructure, strongly indicates a threat actor operating from China.

Staying Ahead: Defense Strategies against Ongoing Exploitation

Although security patches have been issued, damaging activity persists in the post-patch landscape, indicating that previously deployed web shells are being repurposed and extended by a broad spectrum of fraudsters, from opportunists to highly skilled adversaries. In this evolving threat environment, organizations must implement comprehensive remediation measures, which include the prompt application of official SAP updates, the careful restriction of access to vulnerable endpoints, and the deactivation of non-essential services such as Visual Composer.

Additionally, maintaining heightened vigilance through continuous system and log monitoring for anomalous behavior remains essential. These defensive efforts are vital to curbing the potential for further compromise and safeguarding the operational integrity of SAP infrastructures.