In a significant escalation of cyber-espionage activities, multiple China-affiliated advanced persistent threat (APT) groups have been found actively exploiting a recently disclosed critical vulnerability in SAP NetWeaver, identified as CVE-2025-31324. This unauthenticated file upload flaw enables remote code execution (RCE), allowing attackers to gain persistent, unauthorized access to vital systems across the globe.
Scope and impact of the campaign
Security researchers at EclecticIQ, led by Arda Büyükkaya, uncovered a trove of evidence on attacker-controlled infrastructure revealing the breadth and depth of this campaign. A publicly exposed directory on the IP address 15.204.56[.]106 contained event logs and data files that confirmed the compromise of 581 SAP NetWeaver instances worldwide. These systems span critical sectors including:
- Natural gas distribution networks, water, and integrated waste management utilities in the UK
- Medical device manufacturing plants, oil and gas exploration, and production companies in the US
- Government ministries in Saudi Arabia responsible for investment strategy and financial regulation
Additionally, an extensive list of 800 domains running SAP NetWeaver was found, indicating a large pool of potential future targets.
Attribution to chinese APT groups
EclecticIQ attributed these intrusions to three distinct China-linked threat clusters:
- CL-STA-0048: Known for targeting high-value entities in South Asia via exploitation of public-facing IIS, Apache Tomcat, and MS-SQL servers. This group has been observed attempting to establish reverse shells to known malicious IPs.
- UNC5221: This group deploys a Rust-based malware loader named KrustyLoader, capable of delivering second-stage payloads such as the Sliver framework, facilitating persistence and command execution.
- UNC5174: Utilizes the SNOWLIGHT loader to fetch a Go-based remote access trojan called VShell and a backdoor named GOREVERSE.
An additional uncategorized China-nexus actor is conducting broad internet scanning and exploitation campaigns against SAP NetWeaver, further amplifying the threat landscape.
Attack methodology and malware deployment
The exploitation of CVE-2025-31324 begins with uploading malicious files to vulnerable SAP NetWeaver servers without authentication. Following successful compromise, attackers deploy multiple web shells to maintain persistent remote access and execute arbitrary commands. These web shells serve as footholds to conduct reconnaissance, lateral movement, and payload delivery.
Notably, the attackers have used:
- Interactive reverse shells connecting to attacker-controlled IPs
- Rust-based loaders (KrustyLoader) for modular malware deployment
- Go-based remote access trojans (VShell)
- Backdoors (GOREVERSE)
This multi-pronged approach underscores the attackers’ intent to establish long-term strategic access to critical infrastructure networks worldwide.
Emerging vulnerabilities and ongoing threats
The timing of these attacks is particularly concerning as they follow the recent disclosure of another critical SAP NetWeaver vulnerability, CVE-2025-42999, a deserialization flaw in the Visual Composer Metadata Uploader component. This vulnerability allows privileged users to upload malicious content, further expanding the attack surface.
Security firm Onapsis has reported ongoing exploitation activity, including the abuse of web shells left by initial attackers who have since gone silent, indicating the presence of multiple threat actors leveraging public information and tools to maintain access.
Recommendations for SAP NetWeaver users
Given the active exploitation and the critical nature of these vulnerabilities, SAP NetWeaver customers are strongly advised to:
- Apply the latest SAP patches immediately, including the May 2025 security updates addressing CVE-2025-31324 and CVE-2025-42999.
- Conduct thorough audits of SAP NetWeaver instances for signs of compromise, such as unauthorized web shells or anomalous network connections.
- Harden exposed SAP services by restricting internet-facing access and implementing robust monitoring and incident response capabilities.
This wave of attacks highlights the strategic targeting of widely deployed enterprise platforms like SAP NetWeaver by China-linked APTs aiming to infiltrate and persist within critical infrastructure networks. The combination of unpatched vulnerabilities, sophisticated malware loaders, and persistent web shells presents a formidable challenge to defenders.
As these threat actors continue to refine their tactics and expand their operations, cybersecurity professionals must prioritize rapid patching, vigilant monitoring, and comprehensive threat intelligence sharing to mitigate the risks posed by these ongoing campaigns.
Stay vigilant and ensure your SAP environments are secured against these evolving threats to protect critical infrastructure and sensitive data from nation-state adversaries.