A sophisticated cyber threat group, identified as Chaya_004 and believed to be operating from China, has been actively exploiting a critical vulnerability in SAP NetWeaver systems. This flaw, designated as CVE-2025-31324 with a maximum CVSS score of 10.0, enables remote code execution (RCE) by allowing attackers to upload malicious web shells through the vulnerable /developmentserver/metadatauploader endpoint.
Forescout Vedere Labs reported on May 8, 2025, that they had detected malicious infrastructure linked to Chaya_004 leveraging this vulnerability since April 29, 2025. The exploitation involves deploying a Golang-based reverse shell known as SuperShell, facilitating unauthorized remote access and control over compromised SAP systems.
Discovery and Initial Exploitation
The vulnerability was first identified by cybersecurity firm ReliaQuest in late April 2025. They observed unknown threat actors exploiting CVE-2025-31324 to deploy web shells and the Brute Ratel C4 post-exploitation framework. Onapsis, a company specializing in SAP security, noted that hundreds of SAP systems worldwide had been targeted, affecting sectors such as energy, manufacturing, media, oil and gas, pharmaceuticals, retail, and government. Their honeypots recorded reconnaissance activities as early as January 20, 2025, with successful web shell deployments occurring between March 14 and March 31. Mandiant, a Google-owned cybersecurity firm, corroborated these findings, indicating that the first known exploitation took place on March 12, 2025.
Chaya_004’s Exploitation Tactics
Chaya_004 has been identified as a significant actor in these attacks. The group utilized the IP address 47.97.42[.]177 to host SuperShell, a web-based reverse shell written in Golang. Forescout’s analysis revealed that this IP address also hosted other tools, including NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse (ARL), Pocassit, GOSINT, and GO Simple Tunnel. The use of Chinese cloud services and tools with Chinese-language interfaces suggests that Chaya_004 operates from China.
Broader Implications and Additional Threat Actors
The exploitation of CVE-2025-31324 is not limited to Chaya_004. Multiple threat actors have been observed targeting vulnerable SAP systems to deploy web shells and even mine cryptocurrency. This widespread exploitation underscores the critical nature of the vulnerability and the urgency for organizations to implement protective measures.
Recommended Mitigation Strategies
To defend against these attacks, organizations should:
– Apply Patches Promptly: Ensure that all SAP systems are updated with the latest security patches addressing CVE-2025-31324.
– Restrict Access: Limit access to the /developmentserver/metadatauploader endpoint to authorized personnel only.
– Disable Unused Services: If the Visual Composer service is not in use, disable it to reduce potential attack vectors.
– Monitor for Suspicious Activity: Implement continuous monitoring to detect and respond to unusual activities promptly.
Juan Pablo JP Perez-Etchegoyen, CTO of Onapsis, emphasized the evolving threat landscape, noting that even after patches have been applied, advanced threat actors are rapidly adapting to exploit existing compromises. This highlights the need for ongoing vigilance and proactive security measures.
Conclusion
The exploitation of CVE-2025-31324 by groups like Chaya_004 illustrates the persistent and evolving threats facing SAP systems. Organizations must prioritize the implementation of security patches, restrict access to vulnerable endpoints, disable unnecessary services, and maintain robust monitoring to safeguard against these sophisticated attacks.
