A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver.
Forescout Vedere Labs, in a report published today, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025.
CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible “/developmentserver/metadatauploader” endpoint.
The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework.
According to Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations.
The SAP security firm said it observed reconnaissance activity that involved “testing with specific payloads against this vulnerability” against its honeypots as far back as January 20, 2025. Successful compromises in deploying web shells were observed between March 14 and March 31.
Google-owned Mandiant, which is also engaged in incident response efforts related to these attacks, has evidence of exploitation occurring on March 12, 2025.
In recent days, multiple threat actors are said to have jumped aboard the exploitation bandwagon to opportunistically target vulnerable systems to deploy web shells and even mine cryptocurrency.
This, per Forescout, also includes Chaya_004, which has hosted a web-based reverse shell written in Golang called SuperShell on the IP address 47.97.42[.]177. The operational technology (OT) security company said it extracted the IP address from an ELF binary named config that was put to use in the attack.
“On the same IP address hosting Supershell (47.97.42[.]177), we also identified several other open ports, including 3232/HTTP using an anomalous self-signed certificate impersonating Cloudflare with the following properties: Subject DN: C=US, O=Cloudflare, Inc, CN=:3232,” Forescout researchers Sai Molige and Luca Barba said.
Further analysis has uncovered the threat actor has to be hosting various tools across infrastructure: NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse (ARL), Pocassit, GOSINT, and GO Simple Tunnel.
“The use of Chinese cloud providers and several Chinese-language tools points to a threat actor likely based in China,” the researchers added.
To defend against attacks, it’s essential that users apply the patches as soon as possible, if not already, restrict access to the metadata uploader endpoint, disable the Visual Composer service if not in use, and monitor for suspicious activity.
Onapsis CTO Juan Pablo JP Perez-Etchegoyen told The Hacker News that the activity highlighted by Forescout is post-patch, and that it “will further expand the threat of leveraging deployed web shells not only to opportunistic (and potentially less sophisticated) threat actors, but also more advanced ones seem to have been rapidly reacting to this issue to leverage the existing compromises and further expand.”
