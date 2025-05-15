Cybersecurity researchers are piling up evidence that a critical vulnerability affecting German software company SAP’s NetWeaver Visual Composer development server is being exploited in the wild by a range of threat actors.



These include ransomware groups BianLian and RansomwEXX, as well as at least one Chinese nation-state actor known as Chaya_004. Strong Evidence of Exploitation The flaw, tracked as CVE-2025-31324, is an unauthenticated file upload vulnerability in the Metadata Uploader component of the SAP NetWeaver Visual Composer Framework version 7.50. It has been allocated the highest severity score by SAP, 10.0 (CVSS v3.1). When exploited, it allows an unauthenticated attacker to upload potentially malicious executable binaries that could severely harm the host system. First detected by ReliaQuest on April 22, the vulnerability was publicly disclosed by SAP two days later in a security advisory in which the software maker also released a patch. The advisory is only available to SAP customers. Evidence of exploitation began to appear quickly. Notably, the Shadowserver Foundation found that over 400 NetWeaver servers were openly exposed to the internet.

Vulnerable SAP NetWeaver instances exposed online. Source: The Shadowserver Foundation

Other private security companies, including Onapsis and WatchTowr, have found further proof of in-the-wild exploitation of CVE-2025-31324, stating that the attackers were uploading web shell backdoors on unpatched instances exposed online. On April 27, Onapsis, in collaboration with Google Cloud-owned Mandiant, released an open-source tool to identify indicators of compromise on potentially affected SAP systems. On April 29, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog. SAP also publicly disclosed another flaw, CVE-2025-42999, on May 13. This critical flaw (CVSS v3.1 base score of 9.1) is linked to CVE-2025-31324 and affects SAP NetWeaver Visual Composer. Private vulnerability intelligence firm VulnCheck had previously added CVE-2025-42999 to its own KEV list. Chinese Nation-State Exploit CVE-2025-31324 Researchers from Forescout’s Federe Labs published a report on May 8 stating that they had uncovered evidence indicating that a Chinese nation-state threat actor was likely involved in malicious campaigns exploiting CVE-2025-31324. “We uncovered malicious infrastructure likely belonging to a Chinese threat actor, which we are currently tracking as Chaya_004. The infrastructure includes a network of servers hosting Supershell backdoors, often deployed on Chinese cloud providers, and various pen testing tools, many of Chinese origin,” said the report. Attacks detected by Federe Labs were launched from IP addresses that utilized anomalous self-signed certificates impersonating Cloudflare. Many of these IP addresses belonged to Chinese cloud providers, including Alibaba, Shenzhen Tencent, Huawei Cloud Service and China Unicom. Another company, EclectiIQ, confirmed in a May 13 report that its analysts have assessed “with high confidence” that some observed SAP NetWeaver intrusions are linked to Chinese cyber-espionage units, including UNC5221, UNC5174 and CL-STA-0048, based on threat actor tradecraft patterns. According to Mandiant and Palo Alto, these groups are associated with China's Ministry of State Security (MSS) or affiliated private entities.

EclecticIQ TIP Graph View - SAP NetWeaver Intrusions. Source: EclecticIQ