A new wave of cyberattacks has emerged targeting a critical vulnerability in SAP NetWeaver, marking another concerning development in the landscape of enterprise application security. This latest campaign, attributed to a China-linked threat actor tracked as Chaya_004, takes advantage of CVE-2025-31324, a remote code execution vulnerability with a maximum CVSS score of 10.0. The exploit allows malicious actors to upload web shells via the vulnerable /developmentserver/metadatauploader endpoint, effectively gaining full control of the compromised SAP system.
Discovered in April 2025 by Forescout Vedere Labs, Chaya_004’s activity follows earlier real-world abuse of this flaw reported by ReliaQuest and Onapsis. This critical bug is especially dangerous because it affects a core component of SAP’s widely adopted NetWeaver platform, making it a high-value target across multiple sectors.
Affected organizations span across industries including:
- Energy and Utilities
- Manufacturing
- Media and Entertainment
- Pharmaceuticals
- Retail
- Oil and Gas
- Government
Attackers have been deploying a range of malicious tools such as Brute Ratel C4, cryptocurrency miners, and a web-based reverse shell known as SuperShell, written in Golang. These payloads are often distributed through infrastructure hosted on Chinese cloud providers, further pointing to the origin of the threat. The operational infrastructure includes VPN tunnels, offensive tooling like Cobalt Strike, and reconnaissance platforms such as ARL and GOSINT.
Forescout noted that the IP address 47.97.42.177, used by Chaya_004, hosts multiple services including one impersonating Cloudflare through a suspicious self-signed SSL certificate, indicating a sophisticated deception mechanism to avoid detection.
More concerning is that the exploitation appears to continue post-patch, which means compromised systems may still be under the control of attackers despite remediation steps taken after initial discovery. This aligns with insights from Onapsis and Mandiant, who observed the vulnerability being probed as early as January 2025 and exploited by March.
What Should Organizations Do Now?
Organizations using SAP NetWeaver must act swiftly:
- Apply patches released by SAP immediately.
- Restrict access to the /metadatauploader endpoint.
- Disable Visual Composer, if not actively used.
- Continuously monitor logs and network traffic for anomalous activity.
- Harden cloud infrastructure to prevent lateral movement and data exfiltration.
This campaign is a reminder that sophisticated threat actors often move quickly to exploit newly disclosed vulnerabilities, leveraging known bugs before organizations have the chance to patch or respond.
Conclusion:
The exploitation of SAP NetWeaver by Chaya_004 underscores how enterprise software vulnerabilities can rapidly become a global threat vector. The speed at which attackers moved from discovery to exploitation to monetization emphasizes the importance of proactive cybersecurity practices. With advanced tooling, cross-platform capabilities, and infrastructure obfuscation, today’s attackers are targeting not just systems, but trust.
Enterprises in energy, retail, government, and manufacturing must see this as a wake-up call to reassess their patch management programs, incident response plans, and supply chain security.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services