SAP NetWeaver Servers Targeted by Chinese Hackers Using CVE-2025-31324 Zero-Day
A critical vulnerability in SAP NetWeaver Visual Composer is under active exploitation by a Chinese-linked threat actor, tracked as Chaya_004 by Forescout’s Vedere Labs. The flaw, CVE-2025-31324, allows unauthenticated file uploads, leading to remote code execution and potential full system compromise.
SAP issued an out-of-band patch on April 24, following initial detection by ReliaQuest of real-world exploitation. Despite patch availability, many systems remain exposed or already compromised.
Zero-Day Exploitation Confirmed Across Multiple Enterprises
Security researchers, including ReliaQuest, watchTowr, Mandiant, and Onapsis, confirmed exploitation of SAP NetWeaver servers through unauthorized uploads of JSP web shells and post-exploitation tools such as Brute Ratel.
Mandiant traced zero-day activity back to mid-March 2025, while Onapsis observed early reconnaissance as far back as January 20 and exploitation beginning February 10.
“Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised.”
— Patrice Auffret, CTO, Onyphe
The Shadowserver Foundation is currently tracking 204 exposed SAP NetWeaver servers, and Onyphe identified 1,284 vulnerable instances, of which 474 were already compromised.
Attacks Attributed to Chinese Threat Actor Chaya_004
Forescout Vedere Labs attributed the most recent wave of attacks, including those on April 29, to Chaya_004. Indicators include:
- Use of self-signed certificates impersonating Cloudflare
- Hosting on Chinese cloud providers (Alibaba, Tencent, Huawei, China Unicom)
- Deployment of Chinese-language tools, including SuperShell, a web-based reverse shell
“The infrastructure includes a network of servers hosting Supershell backdoors, often deployed on Chinese cloud providers.”
— Forescout Vedere Labs
U.S. Federal Agencies Ordered to Patch by May 20
CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, mandating that federal agencies secure their systems by May 20 under Binding Operational Directive (BOD) 22-01.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
— CISA
Mitigation and Remediation Measures for SAP Administrators
Enterprises running SAP NetWeaver are urged to act immediately. Recommended actions include:
- Apply SAP’s emergency patch for CVE-2025-31324
- Restrict access to metadata uploader services
- Monitor for suspicious activity, including unexpected file uploads or shell execution
- Disable Visual Composer, if operationally feasible
Enterprises are advised to audit exposed NetWeaver instances and review access logs for signs of compromise.
