A China-based threat actor, identified as Chaya_004, has been found to be exploiting a recently disclosed vulnerability in SAP NetWeaver.
According to a report by Forescout Vedere Labs, published today, a malicious infrastructure linked to the hacking group has been utilizing the CVE-2025-31324 vulnerability (with a CVSS score of 10.0) since April 29, 2025.
CVE-2025-31324 is a critical vulnerability in SAP NetWeaver that allows attackers to achieve remote code execution (RCE) by uploading web shells through a vulnerable “/developmentserver/metadatauploader” endpoint.
The vulnerability was initially reported by ReliaQuest last month, when it was discovered being exploited in real-world attacks by unknown threat actors to deploy web shells and the Brute Ratel C4 post-exploitation framework.
Onapsis has reported that hundreds of SAP systems worldwide have been compromised, affecting various industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations.
Onapsis, an SAP security firm, reported that it observed reconnaissance activity, including “testing with specific payloads against this vulnerability” on its honeypots as far back as January 20, 2025. Successful compromises were observed between March 14 and March 31, resulting in the deployment of web shells.
Google-owned Mandiant, which is involved in incident response efforts related to these attacks, has evidence of exploitation occurring on March 12, 2025.
Recently, multiple threat actors have begun exploiting the vulnerability to target vulnerable systems, deploying web shells and even mining cryptocurrency.
Chaya_004 has been found to be hosting a web-based reverse shell written in Golang called SuperShell on the IP address 47.97.42[.]177. Forescout extracted the IP address from an ELF binary named config used in the attack.
“On the same IP address hosting Supershell (47.97.42[.]177), we also identified several other open ports, including 3232/HTTP using an anomalous self-signed certificate impersonating Cloudflare with the following properties: Subject DN: C=US, O=Cloudflare, Inc, CN=:3232,” Forescout researchers Sai Molige and Luca Barba said.
Further analysis has revealed that the threat actor is hosting various tools across its infrastructure, including NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse (ARL), Pocassit, GOSINT, and GO Simple Tunnel.
“The use of Chinese cloud providers and several Chinese-language tools suggests that the threat actor is likely based in China,” the researchers added.
To protect against these attacks, it is essential that users apply patches as soon as possible, restrict access to the metadata uploader endpoint, disable the Visual Composer service if not in use, and monitor for suspicious activity.
Onapsis CTO Juan Pablo JP Perez-Etchegoyen told The Hacker News that the activity highlighted by Forescout is post-patch, and that it “will further expand the threat of leveraging deployed web shells not only to opportunistic (and potentially less sophisticated) threat actors, but also more advanced ones seem to have been rapidly reacting to this issue to leverage the existing compromises and further expand.”
