China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide

May 13, 2025Ravie LakshmananVulnerability / Threat Intelligence

Critical SAP NetWeaver Vulnerability Targeted by Nation-State Actors

A newly disclosed critical security flaw in SAP NetWeaver, tracked as CVE-2025-31324, is being exploited by multiple China-linked nation-state actors, targeting vital infrastructure networks worldwide. This vulnerability, the unauthenticated file upload flaw, allows for remote code execution (RCE), posing a serious threat to organizational cybersecurity.

According to researcher Arda Büyükkaya from EclecticIQ, this vulnerability has become part of a broader campaign aimed at critical infrastructure sectors. Targeted organizations include natural gas and water distribution utilities in the UK, medical device manufacturers, and oil and gas exploration firms in the United States, as well as financial regulatory agencies in Saudi Arabia.

Threat Landscape Analysis

The findings from EclecticIQ reveal that an openly accessible directory on an attacker-controlled server (IP: 15.204.56[.]106) contains event logs documenting activities across various compromised systems. Notably, this confirms various breaches and provides insights into current and future attack strategies.

Chinese threat clusters such as UNC5221 and UNC5174 have been linked to exploiting existing vulnerabilities in widely deployed systems like SAP NetWeaver. They have successfully infiltrated numerous high-value targets in South Asia, typically using known weaknesses in IIS, Apache Tomcat, and MS-SQL servers.

Exploiting CVE-2025-31324

Recent reconnaissance has shown that three distinct Chinese hacking groups are leveraging the SAP NetWeaver vulnerability to establish persistent remote access and execute malicious programs. The details include:

• **CL-STA-0048:** Attempted to create a reverse shell connection to a previously identified malicious IP (43.247.135[.]53).
• **UNC5221:** Utilized a web shell to deploy KrustyLoader, a Rust-based malware capable of serving secondary payloads and establishing persistence.
• **UNC5174:** Managed to download SNOWLIGHT, a loader responsible for fetching a Go-based remote access trojan named VShell, along with a backdoor known as GOREVERSE.

“China-linked APTs are likely to intensify their focus on internet-exposed enterprise applications and edge devices, thereby gaining long-term access to critical infrastructure networks globally,” Büyükkaya added.

New SAP Security Patches

In response to the escalating threats linked to CVE-2025-31324, SAP has released crucial patches as of May 2025. Recent attributions by security firm Onapsis indicate an uptick in exploitation attempts using public vulnerability information, which amplifies the risks for organizations relying on SAP NetWeaver.

Moreover, another severe flaw has been discovered in the Visual Composer Metadata Uploader component of SAP NetWeaver, categorized as CVE-2025-42999 with a CVSS score of 9.1. This deserialization vulnerability, if exploited by privileged users, could potentially lead to malicious content uploads.

Given these active threats, organizations are strongly encouraged to update to the latest SAP version to ensure robust cybersecurity defenses.

Final Thoughts on Cybersecurity in 2025

The recent surge in targeted exploits against SAP NetWeaver showcases the evolving landscape of cyber threats. Cybersecurity professionals must prioritize the patching of critical vulnerabilities and maintain vigilant security measures to safeguard sensitive infrastructure. As nation-state actors continue to focus on widely used platforms, organizations must adopt a proactive approach to cybersecurity.