Threat Analysis: Chinese Threat Actor Exploits Critical SAP Vulnerability (CVE-2025-31324) in the Wild

In an alarming development that underscores the persistent targeting of enterprise-critical systems, CVE-2025-31324, a critical deserialization vulnerability in SAP NetWeaver Visual Composer has been actively exploited in the wild. Security analysts have attributed this activity to a sophisticated Chinese threat actor, temporarily designated as Chaya_004. The vulnerability enables unauthenticated remote code execution (RCE) and has seen opportunistic scanning and targeted exploitation since April 29, 2025. Given SAP’s role in powering critical business operations across the globe, the implications of this exploit are severe for industries from manufacturing to finance.

This article offers a deep dive into the technical vectors of CVE-2025-31324, a breakdown of the associated threat actor infrastructure, and mitigation strategies for security teams tasked with protecting SAP environments.

Understanding CVE-2025-31324: A High-Impact SAP Zero-Day

SAP NetWeaver Visual Composer is a web-based application design tool that integrates with major SAP platforms like CRM, SRM, and SCM. The vulnerability, discovered in version 7.x, exists in the /developmentserver/metadatauploader endpoint. Due to improper input validation during object deserialization, attackers can upload and execute web shells on exposed systems. Key traits of this attack include:

• Unauthenticated access to the vulnerable endpoint.
• Upload of malicious .jsp files like helper.jsp or random names (e.g., ssonkfrd.jsp).
• Use of curl to retrieve second-stage payloads from attacker infrastructure.
• Potential for full system takeover, including lateral movement to HANA databases or SAP Gateways.

The vulnerability was promptly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reflecting the urgency of the threat.

Campaign Discovery and Attribution: The Rise of Chaya_004

Security telemetry and honeypot data from Forescout’s Adversary Engagement Environment (AEE) revealed:

• Active scans for the vulnerable endpoint beginning April 29, 2025.
• 37 unique IPs, mostly from Microsoft ASN, targeting /developmentserver/metadatauploader.
• 14 IPs scanning for /irj/*.jsp, often used post-compromise to identify previously infected systems.

The threat infrastructure was linked to Chaya_004, a Chinese-affiliated actor group. Findings include:

• Hosting of SuperShell backdoors at http://47.97.42[.]177:8888/supershell/login, a web-based reverse shell tool developed by a Chinese speaker.
• Additional infrastructure discovered using Censys and FOFA, revealing:
  • 114 IPs sharing anomalous TLS certs impersonating Cloudflare.
  • Heavy presence across Alibaba, Tencent, Huawei, and China Unicom cloud services.
  • Use of ports like 3232, 443, 2096, and 22 to maintain access and control.

Further investigation uncovered the use of Chinese-language tools for reconnaissance, scanning, and persistence:

• NHAS (penetration toolkit), Cobalt Strike, SoftEther VPN, GO Simple Tunnel
• NPS proxy, Gosint, and ARL asset recon framework

Exploitation in the Wild: Real-World Impact

Multiple customers reported attempts to exploit the vulnerability, particularly in manufacturing environments where SAP platforms manage OT-IT integrations. Key indicators include:

• Crashes during defensive scans, suggesting fragile SAP installations.
• Web shells enabling full command execution, metadata exfiltration, and potential AD pivoting.
• IPs linked to Scaleway (France), Contabo (Germany), and Nubes (USA) hosting malicious activity.

Technical Analysis: How the Exploit Works

1. Initial access via POST requests to /developmentserver/metadatauploader uploads web shells.
2. Shells serve as beacons and dropper points for ELF binaries and JavaScript-based loaders.
3. Attackers leverage the Common Log File System to escalate privileges (previously observed in ransomware exploits).
4. Lateral movement uses custom scanners, VPN obfuscation, and stolen SAP credentials.
5. Persistence is maintained via scheduled tasks or browser-based shells like SuperShell.

Indicators of Compromise (IoCs)

• Web Shell Filenames: helper.jsp, cache.jsp, ssonkfrd.jsp
• Known Malicious IPs:
  • 47.97.42[.]177 – Hosting SuperShell
  • 49.232.93[.]226 – Distributed ELF malware
  • 8.210.65[.]56:5000 – Web-based automated penetration suite
• Certificate CN: C=US, O=Cloudflare, Inc, CN=:3232

10 Security Recommendations to Mitigate SAP Threats

1. Patch Immediately: Update SAP NetWeaver Visual Composer to address CVE-2025-31324.
2. Monitor Unusual JSP Access: Scan for .jsp files in non-standard directories.
3. Segment SAP Servers: Isolate core SAP services (CRM, SRM, Gateway) from general-purpose servers.
4. Use Threat Intel Feeds: Integrate IPs and hashes from trusted sources into SIEM.
5. Block Outbound Curl Commands: Use egress filtering to prevent external payload fetches.
6. Inspect Custom Certificates: Look for anomalies in TLS certificate fields.
7. Implement WAF Rules: Block known payload delivery paths and malicious user agents.
8. Conduct Log Reviews: Audit logs for unexpected POST requests to metadatauploader.
9. Deploy Behavioral Analytics: Use EDR or UEBA to detect unusual shell access or scheduled tasks.
10. Engage with IR Teams: Prepare your incident response team with playbooks specific to SAP platforms.

Conclusion

The exploitation of CVE-2025-31324 by a likely Chinese threat actor illustrates the rising strategic value of SAP applications in cyber operations. Enterprises running legacy SAP systems are highly vulnerable without layered defenses and must act swiftly to patch known issues, harden their environments, and monitor for abnormal behavior. The coordinated infrastructure, multilingual tooling, and widespread scanning demonstrate a campaign that is both opportunistic and targeted.

The days of SAP platforms being “too niche to hack” are over. Vigilance, collaboration, and proactivity are now the baseline defenses against advanced actors like Chaya_004.