Do Son 
Since late April 2025, there has been a surge in attacks targeting SAP NetWeaver Visual Composer, exploiting a critical vulnerability identified as CVE-2025-31324. The flaw affects the metadata uploader component and enables threat actors to upload web shells via the exposed endpoint at /developmentserver/metadatauploader, leading to remote code execution and full server compromise.
The vulnerability has been assigned the highest possible CVSS score of 10.0 and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Initial signs of exploitation were detected by Forescout Vedere Labs on April 29 through honeypots. Researchers observed a sharp increase in scanning activity, coinciding with widespread attacks orchestrated by an as-yet-unidentified group designated Chaya_004, whose tactics and infrastructure strongly suggest links to China.
The attacks followed a consistent modus operandi: after uploading web shells—commonly named helper.jsp and ssonkfrd.jsp—additional malicious payloads were fetched from external hosts using curl. As a result, critical business applications such as CRM, SCM, and SRM were disrupted, while attackers gained unauthorized access to metadata, credentials, and internal resources. The compromised SAP servers were then used as pivots to facilitate lateral movement within targeted networks.
The most active command infrastructure was traced to IP address 47.97.42[.]177, which hosted a Supershell web shell written in Go. This server was disguised as a Cloudflare endpoint, issuing self-signed certificates with falsified attributes. Using certificate fingerprinting, researchers identified an additional 578 IP addresses, the majority of which were hosted on Chinese cloud services including Alibaba, Tencent, Huawei Cloud, and China Unicom—further reinforcing suspicions of the group’s origin.
These addresses were also linked to a suite of reconnaissance and penetration tools, such as SoftEther VPN, ARL (Asset Reconnaissance Lighthouse), Pocassist, Xray, NPS, NHAS, and Cobalt Strike—many of which included Chinese-language interfaces. An ELF binary named config was discovered during analysis, serving as a loader for the malicious component svchosts.exe, which was retrieved from the domain search-email[.]com, functioning as the command-and-control hub.
Of particular interest was the scan distribution map: 37 IP addresses registered to Microsoft ASN were actively probing for vulnerable SAP servers, while 14 addresses under Amazon ASN were observed interacting with previously compromised systems. Notably, no IP address appeared in both phases, indicating a deliberate separation between reconnaissance and exploitation infrastructure.
Incidents were reported across a wide spectrum of industries, from energy and oil & gas to retail and the public sector. According to Onapsis, the attacks began with reconnaissance activities in January, escalated to successful breaches in March, and culminated in widespread exploitation by April. Alarmingly, some exploitation attempts were observed even on already patched systems, suggesting the reuse of previously planted web shells.
In response to the threat, Forescout has activated its defensive platforms: eyeInspect now monitors suspicious POST requests and JSP file uploads, eyeFocus provides contextual threat analysis and risk assessments, and eyeAlert issues real-time alerts and can initiate automated response actions. In some cases, even benign vulnerability scans have triggered failures in production environments.
Experts strongly recommend the immediate deployment of SAP’s security patches for NetWeaver AS Java versions 7.50–7.52, restricting access to vulnerable upload interfaces, disabling unused Visual Composer components, configuring robust network filters, and conducting regular penetration testing and activity audits.
Failure to implement these measures promptly may result in SAP servers not only becoming targets of espionage but also serving as platforms for destructive attacks, data exfiltration, and the propagation of malware across entire enterprise networks.
Donate