News from the AI & ML world
DeeperML
@cyberpress.org
//
A critical security flaw, CVE-2025-31324, affecting SAP NetWeaver Visual Composer 7.x is under active exploitation in the wild. This deserialization vulnerability allows unauthenticated remote code execution through malicious uploads to the `/developmentserver/metadatauploader` endpoint. Attackers are leveraging this flaw to deploy web shells and gain full control of vulnerable SAP servers. Forescout Vedere Labs researchers have linked ongoing attacks targeting this vulnerability to a Chinese threat actor dubbed Chaya_004. Evidence suggests opportunistic scanning and exploitation attempts against SAP systems have been occurring since late April 2025 across multiple industries.
The Chinese-speaking threat group tracked as Chaya_004 by Forescout has been actively exploiting the SAP NetWeaver vulnerability. The attackers have not only deployed classic web shells but have also installed sophisticated management backdoors like Supershell, a Go-based remote shell favored among Chinese APT operators. Forescout's adversary engagement environments detected mass scanning shortly after the public disclosure of the bug and its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The scanning activity primarily originated from Microsoft and Amazon cloud ASNs, indicating both benign research and malicious reconnaissance efforts.
Technical analysis of the attacker's infrastructure revealed a network of over 500 IPs, many hosted on leading Chinese cloud providers. This infrastructure contained not just Supershell but also an arsenal of penetration testing and asset discovery tools. The observed toolset includes NPS, SoftEther VPN, Cobalt Strike, ARL, Pocassit, Gosint, and bespoke tunnels written in Go. The use of Chinese cloud providers and Chinese-language tools strongly suggests the campaign is orchestrated by a seasoned Chinese threat actor. Applying the latest security patches is crucial for organizations to protect their SAP NetWeaver systems from potential compromise.
ImgSrc: blogger.googleu
References :
The Chinese-speaking threat group tracked as Chaya_004 by Forescout has been actively exploiting the SAP NetWeaver vulnerability. The attackers have not only deployed classic web shells but have also installed sophisticated management backdoors like Supershell, a Go-based remote shell favored among Chinese APT operators. Forescout's adversary engagement environments detected mass scanning shortly after the public disclosure of the bug and its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The scanning activity primarily originated from Microsoft and Amazon cloud ASNs, indicating both benign research and malicious reconnaissance efforts.
Technical analysis of the attacker's infrastructure revealed a network of over 500 IPs, many hosted on leading Chinese cloud providers. This infrastructure contained not just Supershell but also an arsenal of penetration testing and asset discovery tools. The observed toolset includes NPS, SoftEther VPN, Cobalt Strike, ARL, Pocassit, Gosint, and bespoke tunnels written in Go. The use of Chinese cloud providers and Chinese-language tools strongly suggests the campaign is orchestrated by a seasoned Chinese threat actor. Applying the latest security patches is crucial for organizations to protect their SAP NetWeaver systems from potential compromise.
ImgSrc: blogger.googleu
Share:
References :
- Cyber Security News: A critical deserialization vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer 7.x, is being actively exploited in the wild, according to recent research by Forescout.
- The Hacker News: Hundreds of SAP NetWeaver instances hacked via a zero-day that allows remote code execution, not only arbitrary file uploads, as initially believed.
Classification:
- HashTags: #SAPsecurity #CybersecurityThreats #CVEexploit
- Company: SAP
- Target: SAP NetWeaver users
- Attacker: ColdRiver
- Product: SAP NetWeaver
- Feature: Visual Composer Metadata Uploa
- Malware: LOSTKEYS
- Type: Hack
- Severity: Major