Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell

The Hacker News by The Hacker News
May 9, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


May 09, 2025Ravie LakshmananVulnerability / Industrial Security

A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver.

Forescout Vedere Labs, in a report published today, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025.

CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible “/developmentserver/metadatauploader” endpoint.

The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework.

Cybersecurity

According to Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations.

The SAP security firm said it observed reconnaissance activity that involved “testing with specific payloads against this vulnerability” against its honeypots as far back as January 20, 2025. Successful compromises in deploying web shells were observed between March 14 and March 31.

Google-owned Mandiant, which is also engaged in incident response efforts related to these attacks, has evidence of exploitation occurring on March 12, 2025.

In recent days, multiple threat actors are said to have jumped aboard the exploitation bandwagon to opportunistically target vulnerable systems to deploy web shells and even mine cryptocurrency.

This, per Forescout, also includes Chaya_004, which has hosted a web-based reverse shell written in Golang called SuperShell on the IP address 47.97.42[.]177. The operational technology (OT) security company said it extracted the IP address from an ELF binary named config that was put to use in the attack.

“On the same IP address hosting Supershell (47.97.42[.]177), we also identified several other open ports, including 3232/HTTP using an anomalous self-signed certificate impersonating Cloudflare with the following properties: Subject DN: C=US, O=Cloudflare, Inc, CN=:3232,” Forescout researchers Sai Molige and Luca Barba said.

Cybersecurity

Further analysis has uncovered the threat actor has to be hosting various tools across infrastructure: NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse (ARL), Pocassit, GOSINT, and GO Simple Tunnel.

“The use of Chinese cloud providers and several Chinese-language tools points to a threat actor likely based in China,” the researchers added.

To defend against attacks, it’s essential that users apply the patches as soon as possible, if not already, restrict access to the metadata uploader endpoint, disable the Visual Composer service if not in use, and monitor for suspicious activity.

Onapsis CTO Juan Pablo JP Perez-Etchegoyen told The Hacker News that the activity highlighted by Forescout is post-patch, and that it “will further expand the threat of leveraging deployed web shells not only to opportunistic (and potentially less sophisticated) threat actors, but also more advanced ones seem to have been rapidly reacting to this issue to leverage the existing compromises and further expand.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Nordic countries plan offline payment system for disaster backup | Computer Weekly

Nordic countries plan offline payment system for disaster backup | Computer Weekly

Recommended.

Firstup Named a Leader in 2025 Gartner® Magic Quadrant™ for Intranet Packaged Solutions

Firstup Named a Leader in 2025 Gartner® Magic Quadrant™ for Intranet Packaged Solutions

October 14, 2025
CIOs must tackle the global tech debt crisis

CIOs must tackle the global tech debt crisis

January 3, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio