Recently a significant security defect that affects SAP Netwever is being exploited by many China-Nexus nation-state actors to target the important infrastructure network.
“The actors took advantage of the CVE -2025-31324, an informal file uploaded vulnerability, which enables distance code execution (RCE),” Eclectic researcher Arda Buukaya said in an analysis published today.
The goals of the campaign include natural gas distribution networks, integrated waste management utilities in water and United Kingdom, the discovery of oil and gas of medical equipment manufacturing plants in the United States and government ministries in production companies and Saudi Arabia who are responsible for investment strategies and financial regulation.
The findings are based on a publicly exposed directory that is exposed to the attacker-controlled infrastructure (“15.204.56[.]106 “) which included an event log capturing activities in several compromised systems.
The Dutch Cyber Security Company has blamed the infiltration for the Chinese danger activity groups tracked as UnC5221, UNC5174, and CL-STA-0048, the final of which was associated with target targets targeting high-value targets in South Asia, which was associated with attacks which were published in South Asia, which is public-publication IIS, Apache TomCL, and MSQ, and MSQ, and MS.QUL and MS.QULS, Reviverability, Revivers Tomcat and MS. Back door.
It was also noted that an unwanted China-Nexus threat is conducting a comprehensive internet scanning and exploitation campaign against actor SAP Netwever Systems. Server hosted at IP address “15.204.56”[.]106 “includes several files, including –
- “CVE-2025-31324-results.txt,” which has recorded 581 SAP Netwever examples and compromised with a web shell.
- “_20250427_212229.txt,” which lists 800 domains with the possibility of SAP Netwever for future targeting
“The exposed Open-DIR infrastructure suggests that violations are confirmed and exposed the planned goals of the group, which provides clear insight into both previous and future operations,” said Buyukkaya.
After the exploitation of the CVE-2025-31324, the danger actor is deployed to two web shells, designed to maintain frequent remote access to infected systems and execute arbitrary commands.
In addition, three separate Chinese hacking groups have been seen exploiting SAP Netweaver vulnerability, which has been left as part of efforts to maintain remote access, conduct the reconnaissance and leave malicious programs – malicious programs have been abandoned – malicious programs –
- CL-STA-0048, which has tried to install an interactive reverse shell for “43.247.135”[.]53, “an IP address used by the threatening actor was earlier identified
- UnC5221, who has taken advantage of a web shell to deploy crusteloders, a rust-based malware that can use to serve second-stage payloads like sliver, can set firmness, and perform the shell command
- UNC5174, which has taken advantage of a web shell to download the snowlight, a loader that starts a connection with a hard-coded server, to bring a cow-based remote access trojan called Vshell and a backdor known as a backdoor.
“APTs associated with China are likely to target internet-wisdom enterprise applications and edge equipment to establish long-term strategic and firmness for a global-level important infrastructure networks,” Büyükaya said.
“Their focus on widely used platforms such as SAP Netwever is a strategic step, as these systems are deeply integrated into the enterprise environment and often hosting unexpected weaknesses.”
SAP Patch New Actively exploited Natawaware defects
The disclosure comes even after Chaaya_004 dubbed by an anonymous danger actor associated with China, it is also held responsible for the exploitation of CVE-2025-31324, which to deploy Go-based reverse shell called Superchael.
SAP security firm Onapsis said that it is “looking for important activity from the attackers who are using public information for exploitation and abuse by the original attackers, which have currently become dark.”
Further analysis of these attacks has discovered another important defect in the Natawaware’s visual composer Matadata Uploader component. The CVE-2025-42999 (CVSS score: 9.1) was tracked, described as a deserialization vulnerability that can be exploited by a privileged user to upload incredible or malicious materials by a privileged user.
“The attacks we watched during March 2025 (which began in January 2025 with proving basic) actually abusing both, lack of authentication (CVE-2025-31324) as well as unprotected D-Serialization (CVE-2025-42999),” Onapsis CTO, Juan Pablo (JP).
“This combination allowed the attackers to execute the command in a remote manner and on the system without any kind of privileges. Those organizations applied effective and timely applied SAP Safety Note 3594142 (patch for CVE-2025-31324), which significantly reduce the risk of exploitation.”
“Organizations should now apply SAP Safety Note 3604119 to remove any residual risk on SAP applications. This residual risk is basically a de-governmental vulnerability by users with visualcomposeruser roles on the SAP target system.”
In the light of ongoing active exploitation, it is recommended to update their examples to SAP Netwever customers as soon as possible.
(The story was updated after publication on May 14, 2025 to confirm the active exploitation of CVE-2025-42999.)
