Cve-2025-31324: Critical Sap Vulnerability Exploited By Chinese Threat Actor

A threat campaign leveraging a known SAP vulnerability(CVE-2025-31324), recently observed being actively exploited by a Chinese state-sponsored threat actor. The focus is on a real-world exploitation case, indicating operational readiness and potential for broader impact on organizations using SAP systems. The findings emphasize the criticality of patching SAP instances and monitoring for known indicators of compromise (IOCs).

Severity Level: High

THREAT OVERVIEW:

1. Threat Actor: Suspected Chinese nation-state group Chaya_004.
2. Malware Used: Web shells (e.g., helper.jsp, cache.jsp, ssonkfrd.jsp), ELF binaries (config), and Windows binaries (svchosts.exe).
3. Infection Vector: Remote code execution (RCE) via unpatched SAP management interfaces
4. Sectors Affected: Large enterprises using SAP in manufacturing, finance, and logistics
5. Targeted Region: Global, with specific incidents observed in North America, Europe, and Asia-Pacific.

TOOLS DETECTED:

1. Supershell (Chinese Go-based reverse shell)
2. Pocassist (vulnerability scanner)
3. GOREVERSE, ARL, NPS, SoftEther VPN, Xray proxy, and others

EXPLOITATION CHAIN

1. Supershell (Chinese Go-based reverse shell)
2. Pocassist (vulnerability scanner)
3. GOREVERSE, ARL, NPS, SoftEther VPN, Xray proxy, and others

Recommendations:

1. Ensure you apply the appropriate security notes for NetWeaver AS Java versions 7.50–7.52.
2. Limit exposure of the /developmentserver/metadatauploader endpoints using firewall policies or SAP Web Dispatcher. Internal access should be restricted to authorized administrators.
3. If the Visual Composer service is non-essential, consider disabling it entirely.
4. Deploy real-time monitoring for abnormal access or changes to service entries, especially outside of maintenance windows.
5. Ensure SAP NetWeaver endpoints are included in routine penetration testing and vulnerability scans.
6. Block the IOCs at their respective controls.
   https://www.virustotal.com/gui/collection/42cef8a73d24533b1d24439076b2c9140c9096fe96d61327896dd88f0fee92b6/iocs
7. Check the root of the following OS directories for the presence of ‘jsp’, ‘java’, or ‘class’ files:
   • C:\usr\sap\\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
   • C:\usr\sap\\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
   • C:\usr\sap\\\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
   The presence of these files is an indication an attacker has leveraged the vulnerability to upload arbitrary files. The system should be considered compromised, and the appropriate incident response plan should be followed.

Source:

• https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/
• https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html
• https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/
• https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

virustotal

No related posts found.