A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks.
“Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE),” EclecticIQ researcher Arda Büyükkaya said in an analysis published today.
Targets of the campaign include natural gas distribution networks, water and integrated waste management utilities in the United Kingdom, medical device manufacturing plants oil and gas exploration and production companies in the United States, and government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation.
The findings are based on a publicly exposed directory uncovered on attacker-controlled infrastructure (“15.204.56[.]106”) that contained event logs capturing the activities across multiple compromised systems.
The Dutch cybersecurity company has attributed the intrusions to Chinese threat activity clusters tracked as UNC5221, UNC5174, and CL-STA-0048, the last of which was linked to attacks targeting high-value targets in South Asia by exploiting known vulnerabilities in public-facing IIS, Apache Tomcat, and MS-SQL servers to drop web shells, reverse shells, and the PlugX backdoor.
It also noted that an uncategorized China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. The server hosted at the IP address “15.204.56[.]106” has been found to contain multiple files, including –
- “CVE-2025-31324-results.txt,” which has recorded 581 SAP NetWeaver instances compromised and backdoored with a web shell
- “服务数据_20250427_212229.txt,” which lists 800 domains running SAP NetWeaver likely for future targeting
“The exposed open-dir infrastructure reveals confirmed breaches and highlights the group’s planned targets, offering clear insight into both past and future operations,” Büyükkaya noted.
The exploitation of CVE-2025-31324 is followed by the threat actor deploying two web shells that are designed to maintain persistent remote access to the infected systems and execute arbitrary commands.
In addition, three different Chinese hacking groups have been observed exploiting the SAP NetWeaver vulnerability as part of efforts to maintain remote access, conduct reconnaissance, and drop malicious programs –
- CL-STA-0048, which has attempted to establish an interactive reverse shell to “43.247.135[.]53,” an IP address previously identified as used by the threat actor
- UNC5221, which has leveraged a web shell to deploy KrustyLoader, a Rust-based malware that can used to serve second-stage payloads like Sliver, set up persistence, and execute shell commands
- UNC5174, which has leveraged a web shell to download SNOWLIGHT, a loader that initiates a connection with a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE
“China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally,” Büyükkaya said.
“Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities.”
SAP Patches New NetWeaver Flaw in May 2025 Patch
The disclosure comes days after another China-linked unnamed threat actor dubbed Chaya_004 has also been attributed to the exploitation of CVE-2025-31324 to deploy a Go-based reverse shell called SuperShell.
SAP security firm Onapsis said it is “seeing significant activity from attackers who are using public information to trigger exploitation and abuse web shells placed by the original attackers, who have currently gone dark.”
Further analysis of these attacks has led to the discovery of another critical defect in NetWeaver’s Visual Composer Metadata Uploader component. Tracked as CVE-2025-42999 (CVSS score: 9.1), it has been described as a deserialization vulnerability that could be exploited by a privileged user to upload untrusted or malicious content.
In light of ongoing active exploitation, customers of SAP NetWeaver are recommended to update their instances to the latest version as soon as possible.
