Chinese Hackers Exploit SAP NetWeaver RCE Flaw

A recent report from Forescout Vedere Labs has shed light on a significant security flaw in SAP NetWeaver that has been exploited by Chinese hackers, dubbed Chaya_004. The vulnerability, CVE-2025-31324, carries a critical CVSS score of 10.0, making it a highly severe threat to the security of affected systems.

The bug allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint. This vulnerability was first flagged by ReliaQuest in late April, who discovered that unknown threat actors were already exploiting it in real-world attacks to drop web shells and deploy the Brute Ratel C4 post-exploitation framework.

According to Onapsis, a leading SAP cybersecurity firm, hundreds of SAP systems globally have fallen victim to attacks spanning various industries and geographies. These include energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations. The attacks began as early as January 20, 2025, with reconnaissance activity detected against Onapsis' honeypots.

Successful compromises in deploying web shells were observed between March 14 and March 31, indicating that the attackers had been testing the vulnerability against unsuspecting systems for several weeks. The threat actors have continued to exploit this vulnerability, targeting vulnerable systems to deploy web shells and even mine cryptocurrency.

The exploitation of CVE-2025-31324 highlights the critical need for organizations to prioritize their SAP NetWeaver security. It is essential for companies to monitor their systems closely, patch vulnerabilities promptly, and implement robust security measures to prevent such attacks. The incident also underscores the importance of threat intelligence and vigilance in detecting emerging threats.

We would like to extend our gratitude to Slashdot reader bleedingobvious for sharing this crucial information with us. As always, we encourage our readers to remain vigilant and stay informed about the latest security threats.