A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual Composer 7.x is being actively exploited by a Chinese threat actor, tracked as Chaya_004.
This deserialization flaw allows attackers to upload malicious binaries, including web shells, to unpatched servers, granting full system takeover capabilities.
According to research from Forescout, exploitation has been observed since at least April 29, 2025, with scans targeting the vulnerable /developmentserver/metadatauploader endpoint.
.png
)
The attacks have primarily impacted manufacturing environments, where compromised SAP systems could disrupt operations and expose sensitive data.
Critical SAP NetWeaver Flaw
According to the Report, Forescout’s investigation uncovered a sprawling malicious infrastructure linked to Chaya_004, likely operating out of China.
The network includes servers hosted on Chinese cloud providers like Alibaba and Tencent, deploying Supershell-a Go-based reverse shell developed by a Chinese-speaking coder named “tdragon6”-as the primary backdoor.
Additional tools, such as NPS (an intranet penetration proxy), NHAS (a penetration testing toolkit), and Cobalt Strike, were identified across 787 IP addresses with consistent anomalous self-signed certificates mimicking Cloudflare.
Notably, an ELF binary named “config” and a malware sample, svchosts.exe, led researchers to C2 domains and automated penetration testing platforms hosted on IPs like 47.97.42.177 and 8.210.65.56.
Exploitation patterns show attackers using POST requests to deploy web shells with names like helper.jsp or randomized 8-letter variants, often followed by curl commands to fetch additional payloads.
The potential fallout includes service disruption, credential theft, lateral movement to critical SAP components like HANA databases, and regulatory violations under GDPR or HIPAA.
Chaya_004 Infrastructure
Forescout’s analysis suggests opportunistic scans and targeted campaigns, with 37 unique IPs scanning for vulnerable endpoints and 13 IPs attempting exploitation on customer networks.
The latter traced to ASNs like Scaleway (AS12876) and Contabo (AS51167), often abused by threat actors.
SAP released patches in April 2025 for NetWeaver AS Java versions 7.50–7.52, and organizations are urged to apply them immediately.
Additional mitigations include restricting access to metadata uploader services, disabling non-essential Visual Composer instances, and monitoring for anomalous activity outside maintenance windows.
Forescout has enhanced its OT/eyeInspect, eyeFocus, and eyeAlert platforms with detection logic, threat intelligence integration, and real-time alerting to combat this threat.
Indicators of Compromise (IoCs)
Below are key IoCs associated with CVE-2025-31324 exploitation, as provided by Forescout Vedere Labs:
| IoC | Description |
|---|---|
| 47.97.42.177 | Initial SuperShell host |
| 49.232.93.226 | Malware distribution node |
| 8.210.65.56 | Automated pentest platform |
| search-email[.]com | C2 domain |
| 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef | Config ELF binary hash |
| f1e505fe96b8f83c84a20995e992b3794b1882df4954406e227bd7b75f13c779 | svchosts.exe malware hash |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
