A critical security vulnerability identified as CVE-2025-31324 has been exploited by multiple China-affiliated Advanced Persistent Threat (APT) groups to infiltrate critical infrastructure systems globally. This flaw in SAP NetWeaver allows unauthenticated file uploads, leading to remote code execution (RCE).
EclecticIQ researcher Arda Büyükkaya reported that these threat actors have targeted various sectors, including natural gas distribution networks, water and waste management utilities in the United Kingdom, medical device manufacturing plants, oil and gas companies in the United States, and government ministries in Saudi Arabia responsible for investment strategy and financial regulation.
The investigation uncovered a publicly accessible directory on attacker-controlled infrastructure (IP address 15.204.56[.]106) containing event logs from multiple compromised systems. This evidence links the intrusions to Chinese threat groups known as UNC5221, UNC5174, and CL-STA-0048. These groups have previously exploited vulnerabilities in public-facing IIS, Apache Tomcat, and MS-SQL servers to deploy web shells, reverse shells, and the PlugX backdoor.
The server at 15.204.56[.]106 hosted several files, notably:
– CVE-2025-31324-results.txt, documenting 581 SAP NetWeaver instances that were compromised and implanted with web shells.
– 服务数据_20250427_212229.txt, listing 800 domains running SAP NetWeaver, likely earmarked for future attacks.
Büyükkaya emphasized that the exposed directory provides clear insights into both past breaches and planned targets, highlighting the strategic operations of these threat actors.
Following the exploitation of CVE-2025-31324, attackers deployed two web shells to maintain persistent remote access and execute arbitrary commands on the infected systems.
The activities of the Chinese hacking groups include:
– CL-STA-0048: Attempted to establish an interactive reverse shell to 43.247.135[.]53, an IP address previously associated with the group.
– UNC5221: Utilized a web shell to deploy KrustyLoader, a Rust-based malware capable of serving second-stage payloads like Sliver, establishing persistence, and executing shell commands.
– UNC5174: Employed a web shell to download SNOWLIGHT, a loader that connects to a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE.
Büyükkaya warned that China-linked APTs are likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term access to critical infrastructure networks worldwide. Their focus on widely used platforms like SAP NetWeaver is strategic, as these systems are deeply integrated into enterprise environments and often contain unpatched vulnerabilities.
This disclosure follows reports of another China-linked threat actor, Chaya_004, exploiting similar vulnerabilities in SAP NetWeaver systems.
