SAP NetWeaver Vulnerability Leveraged by Ransomware Operations and Chinese-Supported Hackers for Data Breaches
In a significant development in the cybersecurity landscape, a new malicious infrastructure known as Chaya_004 has been detected by Federated Labs. This infrastructure has been linked to a series of concerning incidents involving high-profile vulnerabilities and various threat actors.
One of the key vulnerabilities exploited in these attacks is CVE-2025-31324, an unauthenticated file upload vulnerability with the highest severity score by SAP. This vulnerability affects SAP NetWeaver, a critical component of many businesses' IT infrastructure.
Evidence of exploitation of CVE-2025-31324 began to appear quickly, with over 400 NetWeaver servers found to be openly exposed to the internet by the Shadowserver Foundation. Private security companies, such as Onapsis and WatchTowr, have further confirmed in-the-wild exploitation, stating that attackers were uploading web shell backdoors on unpatched instances exposed online.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog on April 29. This designation underscores the urgency for organizations to address this vulnerability.
SAP released a patch for the vulnerability in the security advisory, which is only available to SAP customers. However, it's crucial for businesses to ensure that their SAP systems are updated as soon as possible to mitigate the risks.
The attacks detected by Federated Labs were launched from IP addresses that utilized anomalous self-signed certificates impersonating Cloudflare. This tactic is designed to bypass security measures and gain unauthorized access to systems.
Some of these IP addresses belonged to Chinese cloud providers, including Alibaba, Shenzhen Tencent, Huawei Cloud Service, and China Unicom. This raises concerns about potential state-sponsored activities orchestrating these attacks.
Researchers from Forescout's Federated Labs published a report on May 8, stating that a Chinese nation-state threat actor was likely involved in malicious campaigns exploiting CVE-2025-31324. EclectiIQ's analysts have assessed with high confidence that some observed SAP NetWeaver intrusions are linked to Chinese cyber-espionage units, including UNC5221, UNC5174, and CL-STA-0048.
The involvement of groups like BianLian and RansomEXX reflects the growing interest in weaponizing high-profile vulnerabilities for financial gain. These groups are associated with China's Ministry of State Security (MSS) or affiliated private entities, according to Mandiant and Palo Alto.
In a collaborative effort, Onapsis, in collaboration with Google Cloud-owned Mandiant, released an open-source tool on April 27 to identify indicators of compromise on potentially affected SAP systems. This tool can help businesses assess their risk and take necessary actions to secure their systems.
More recently, SAP publicly disclosed another critical flaw, CVE-2025-42999, on May 13. This vulnerability is linked to CVE-2025-31324 and affects SAP NetWeaver Visual Composer. The vulnerability allows unauthenticated attackers to upload potentially malicious executable binaries that could harm the host system.
Organizations are urged to stay vigilant and proactive in addressing these vulnerabilities to protect their systems and data from potential attacks.
