A critical remote code execution vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324) is being actively exploited by a Chinese threat actor to compromise enterprise systems worldwide. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Additional recommended mitigations include restricting access to metadata uploader services, disabling unused web services, and implementing real-time monitoring for anomalous access to SAP systems, particularly outside of regular maintenance windows. Exploitation has been observed primarily targeting manufacturing environments, where compromised SAP systems could lead to significant operational disruptions and security breaches. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The deployed SuperShell backdoors provide attackers with comprehensive system access, allowing them to manipulate service endpoints, harvest credentials, and potentially pivot to more critical SAP components. The primary backdoor interface was identified on port 8888 with the distinctive path “/supershell/login” across multiple compromised systems. The vulnerability allows attackers to achieve remote code execution by uploading malicious web shells through the vulnerable /developmentserver/metadatauploader endpoint. The threat actor, tracked as Chaya_004, has been leveraging this vulnerability since at least April 29, 2025, shortly after proof-of-concept exploits became publicly available. The binary contained an IP address hosting a SuperShell login interface, which led to the discovery of hundreds of additional IP addresses sharing unusual certificate configurations. This campaign demonstrates a sophisticated approach to infrastructure deployment, with over 700 identified IP addresses sharing consistent configuration patterns. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Their attack infrastructure heavily utilizes Chinese cloud providers, including Alibaba, Tencent, and Huawei Cloud Services. Organizations running affected SAP versions are strongly urged to apply the security patches released in the April 2025 Patch Day immediately. Cybersecurity experts have uncovered a sophisticated attack campaign targeting IT administrators through search engine optimization (SEO) poisoning tactics. Forescout researchers identified the malicious infrastructure after recovering an ELF binary named “config” from one of the attacks.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 10 May 2025 01:15:08 +0000