Hackers Exploit SAP RCE Flaw

A recent security flaw in SAP NetWeaver has been exploited by a China-linked threat actor, sparking concerns among cybersecurity experts.

According to a report published by Forescout Vedere Labs on Thursday, the malicious infrastructure associated with the hacking group is believed to have started weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. This critical SAP NetWeaver flaw allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint.

The vulnerability was first flagged by ReliaQuest late last month when it discovered the shortcoming being abused in real-world attacks by unknown threat actors. These attackers were able to drop web shells and utilize the Brute Ratel C4 post-exploitation framework, further compromising the security of affected systems.

Onapsis has revealed that hundreds of SAP systems globally have fallen victim to these attacks, spanning industries and geographies. The affected organizations include energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations.

The extent of the attack is concerning, with Forescout Vedere Labs indicating that the malicious infrastructure associated with the Chaya_004 threat actor has been detected in various parts of the world. This highlights the need for SAP systems to be regularly updated and patched to prevent exploitation of this critical vulnerability.