In April 2025, cybersecurity researchers uncovered a sophisticated cyber-espionage campaign targeting critical infrastructure sectors worldwide. This campaign exploited a previously unknown vulnerability in SAP NetWeaver Visual Composer, designated as CVE-2025-31324. The flaw enables unauthenticated attackers to upload malicious files, granting them remote code execution capabilities on affected systems without requiring user authentication or special access privileges.
Scope of the Attacks
The attacks primarily impacted organizations across various sectors, including:
– United Kingdom: Natural gas distribution networks and water management utilities.
– United States: Medical device manufacturing plants and upstream oil and gas companies.
– Saudi Arabia: Government ministries.
These compromised SAP systems were connected to industrial control system (ICS) networks, significantly amplifying the potential impact of these intrusions. The integration of SAP systems with ICS environments underscores the critical nature of these attacks, as they could lead to operational disruptions, data breaches, and potential safety hazards.
Attribution to Chinese APT Groups
Intelligence gathered from exposed attacker infrastructure revealed links to multiple China-nexus Advanced Persistent Threat (APT) groups, including UNC5221, UNC5174, and CL-STA-0048. These threat actors are believed to have connections to China’s Ministry of State Security (MSS) or affiliated private entities, operating with strategic objectives to compromise critical infrastructure worldwide.
Attack Methodology
The attackers leveraged the “/developmentserver/metadatauploader” API endpoint in SAP NetWeaver to upload malicious webshells, providing them with persistent remote access. Two primary webshells were deployed across victim systems:
1. coreasp.jsp: This sophisticated webshell employed advanced obfuscation and encryption techniques to evade detection. It accepted system commands via a parameter named “cmdhghgghhdd” and returned the output directly to the browser, functioning as a fallback access method if the more sophisticated encrypted channel failed.
2. forwardsap.jsp: This lightweight backdoor accepted system commands via a parameter named “cmdhghgghhdd” and returned the output directly to the browser, functioning as a fallback access method if the more sophisticated encrypted channel failed.
These webshells closely resemble Behinder/冰蝎 v3, a toolset commonly used by Chinese-speaking threat actors, providing additional evidence linking the campaign to China-nexus operators.
Discovery and Analysis
EclecticIQ analysts identified an openly accessible directory on an attacker-controlled server (15.204.56.106), which contained detailed lists of compromised systems and the tools used in the campaign. The server hosted two result files documenting over 581 SAP NetWeaver instances compromised and backdoored with webshells, along with a list of 1,800 domains running SAP NetWeaver marked as potential targets.
Implications and Recommendations
The exploitation of CVE-2025-31324 highlights the critical need for organizations to:
– Patch Vulnerabilities Promptly: Regularly update and patch SAP systems to mitigate known vulnerabilities.
– Monitor Network Traffic: Implement continuous monitoring to detect unusual activities indicative of a breach.
– Restrict Access: Limit access to critical systems and employ robust authentication mechanisms.
– Incident Response Planning: Develop and regularly update incident response plans to address potential breaches effectively.
Given the strategic targeting of critical infrastructure, organizations must remain vigilant and proactive in their cybersecurity measures to defend against such sophisticated threats.
