SAP released an out-of-band emergency patch on April 24 to address this unauthenticated file upload security flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer, days after cybersecurity company ReliaQuest first detected the vulnerability being targeted in attacks. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. ReliaQuest reported that multiple customers' systems were breached through unauthorized file uploads on SAP NetWeaver, with the threat actors uploading JSP web shells to public directories, as well as the Brute Ratel red team tool in the post-exploitation phase of their attacks. "As part of our investigation into active exploitation of this vulnerability, we uncovered malicious infrastructure likely belonging to a Chinese threat actor, which we are currently tracking as Chaya_004 – following our convention for unnamed threat actors," Forescout said. Mandiant also observed CVE-2025-31324 zero-day attacks dating back to at least mid-March 2025, while Onapsis updated its original report to say its honeypot first captured reconnaissance activity and payload testing since January 20, with exploitation attempts starting on February 10. CISA has also added the CVE-2025-31324 security flaw to its Known Exploited Vulnerabilities Catalog one week ago, ordering U.S. federal agencies to secure their systems against these attacks by May 20, as required by Binding Operational Directive (BOD) 22-01. This exploitation activity was also confirmed by other cybersecurity firms, including watchTowr and Onapsis, who also confirmed the attackers were uploading web shell backdoors on unpatched instances exposed online. More recent attacks on April 29 have been linked to a Chinese threat actor tracked by Forescout's Vedere Labs as Chaya_004. SAP admins are advised to immediately patch their NetWeaver instances, restrict access to metadata uploader services, monitor for suspicious activity on their servers, and consider disabling the Visual Composer service if possible. The Shadowserver Foundation is now tracking 204 SAP Netweaver servers exposed online and vulnerable to CVE-2025-31324 attacks. These attacks were launched from IP addresses using anomalous self-signed certificates impersonating Cloudflare, many of them belonging to Chinese cloud providers (e.g., Alibaba, Shenzhen Tencent, Huawei Cloud Service, and China Unicom). Onyphe CTO Patrice Auffret also told BleepingComputer in late April that "Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised," adding that at the time, there were 1,284 vulnerable instances exposed online, 474 of which were already compromised. Successful exploitation enables unauthenticated attackers to upload malicious files without logging in, allowing them to gain remote code execution and potentially leading to complete system compromise.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 09 May 2025 16:25:02 +0000