In a major cybersecurity development, several China-linked advanced persistent threat (APT) groups have been identified actively exploiting a critical vulnerability in SAP NetWeaver systems, known as CVE-2025-31324. This flaw, which received a CVSS score of 10.0, allows unauthenticated attackers to upload malicious files and execute remote code, potentially taking full control of affected servers.
The targeted endpoint, /developmentserver/metadatauploader, belongs to the Visual Composer component of SAP NetWeaver. The vulnerability enables remote code execution (RCE) by allowing threat actors to upload web shells without authentication.
Exploitation Targets Critical Infrastructure Worldwide
Cybersecurity researchers from EclecticIQ have uncovered widespread exploitation of the flaw by Chinese threat groups across multiple industries. At least 581 SAP NetWeaver systems have been compromised, with over 800 additional systems identified as potential future targets.
Sectors Impacted:
- UK-based natural gas and waste management firms
- Medical equipment manufacturers
- Oil and gas exploration companies in the U.S.
- Government ministries in Saudi Arabia
The discovery was made through attacker-exposed infrastructure that included detailed logs of compromised environments and targeted domains.
Threat Actors and Their Toolkits
EclecticIQ attributed the campaign to multiple China-linked APT groups including:
- UNC5221: Deployed custom malware like KrustyLoader to deliver payloads such as Sliver.
- UNC5174: Installed SNOWLIGHT loaders to fetch backdoors like GOREVERSE and VShell.
- CL-STA-0048: Attempted to establish reverse shells from infected SAP environments.
- Chaya_004: Delivered SuperShell, a Go-based reverse shell tool, to compromised systems.
These actors employed advanced tactics including custom malware, remote access trojans (RATs), and fileless persistence mechanisms.
SAP Releases Security Patch
In response to active exploitation, SAP issued Security Note 3604119 on May 13, 2025, patching CVE-2025-31324. The update also addresses a related deserialization issue tracked as CVE-2025-42999.
SAP Urges Immediate Action:
- Apply the latest patches from SAP immediately.
- Scan for compromise indicators using open-source tools from Mandiant and Onapsis.
- Monitor for suspicious activity, especially unauthorized file uploads and outbound connections to suspicious IP addresses.
Urgency for Enterprise Defenders
Given the critical severity of the flaw and ongoing exploitation, CVE-2025-31324 poses an immediate threat to global enterprise infrastructure. Unpatched SAP systems represent a high-value target for state-sponsored cyber actors seeking to disrupt essential services and steal sensitive data.
Security professionals are urged to prioritize SAP security assessments, update threat detection rules, and strengthen monitoring of external access to development endpoints.
Conclusion
The exploitation of SAP CVE-2025-31324 by China-linked APTs highlights the urgent need for robust patch management and proactive threat detection in enterprise environments. With attackers actively targeting critical infrastructure, immediate remediation and enhanced visibility are key to mitigating risk.