CyberSecurity news
FlagThis
@securebulletin.com
//
China-linked APT groups are actively exploiting a critical vulnerability, CVE-2025-31324, in SAP NetWeaver to breach systems globally. This flaw, an unauthenticated file upload vulnerability, allows for remote code execution, granting unauthorized access to sensitive systems. EclecticIQ assesses with high confidence that these attacks, which commenced in April 2025, are being launched by Chinese nation-state APTs targeting critical infrastructure networks. The scope of the campaign is significant, with evidence indicating the compromise of over 580 SAP NetWeaver instances across various sectors.
Researchers at EclecticIQ uncovered evidence revealing the campaign's breadth. A publicly accessible directory on a threat actor-controlled server contained event logs confirming compromises across 581 SAP NetWeaver instances worldwide. These systems span critical sectors like natural gas distribution networks, water, waste management utilities, medical device manufacturing plants, and government ministries. Additionally, a list of 800 domains running SAP NetWeaver was found, indicating a large pool of potential future targets.
The exploitation of CVE-2025-31324 is being attributed to multiple distinct China-linked threat clusters, including CL-STA-0048, UNC5221, and UNC5174. These groups employ various tactics, techniques, and procedures (TTPs), including the use of reverse shells, Rust-based malware loaders like KrustyLoader, and remote access trojans like VShell. In addition to CVE-2025-31324, SAP addressed a second zero-day vulnerability, CVE-2025-42999, which has also been actively exploited in attacks targeting SAP NetWeaver servers and is being used in conjunction with CVE-2025-31324 by threat actors.
References :
Researchers at EclecticIQ uncovered evidence revealing the campaign's breadth. A publicly accessible directory on a threat actor-controlled server contained event logs confirming compromises across 581 SAP NetWeaver instances worldwide. These systems span critical sectors like natural gas distribution networks, water, waste management utilities, medical device manufacturing plants, and government ministries. Additionally, a list of 800 domains running SAP NetWeaver was found, indicating a large pool of potential future targets.
The exploitation of CVE-2025-31324 is being attributed to multiple distinct China-linked threat clusters, including CL-STA-0048, UNC5221, and UNC5174. These groups employ various tactics, techniques, and procedures (TTPs), including the use of reverse shells, Rust-based malware loaders like KrustyLoader, and remote access trojans like VShell. In addition to CVE-2025-31324, SAP addressed a second zero-day vulnerability, CVE-2025-42999, which has also been actively exploited in attacks targeting SAP NetWeaver servers and is being used in conjunction with CVE-2025-31324 by threat actors.
Share:
References :
- securebulletin.com: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
- The Hacker News: BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan
- BleepingComputer: Ransomware gangs join ongoing SAP NetWeaver attacks
- www.techradar.com: SAP NetWeaver woes worsen as ransomware gangs join the attack
- Blog: A second zero-day vulnerability, identified as CVE-2025-42999, which was actively exploited in attacks targeting SAP NetWeaver servers.
- onapsis.com: Threat Briefing Report: Critical SAP Vulnerabilities (CVE-2025-31324 and CVE-2025-42999) Under Active Mass Exploitation
- industrialcyber.co: EclecticIQ details Chinese state-backed hackers launch global attacks on critical infrastructure via SAP vulnerability
- Onapsis: Threat Briefing Report: Critical SAP Vulnerabilities (CVE-2025-31324 and CVE-2025-42999) Under Active Mass Exploitation
- socradar.io: May 2025 Patch Tuesday: 78 Flaws, 5 Exploited, & Critical SAP Fixes
- socprime.com: Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure
- SOC Prime Blog: Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure
Classification:
- HashTags: #SAPNetWeaver #APTs #CyberEspionage
- Company: SAP
- Target: Critical infrastructure
- Attacker: China-linked APTs
- Product: NetWeaver
- Feature: File Upload
- Type: Vulnerability
- Severity: Major