A important distant code execution vulnerability in SAP NetWeaver Visible Composer (CVE-2025-31324) is being actively exploited by a Chinese language menace actor to compromise enterprise programs worldwide.
The vulnerability permits attackers to realize distant code execution by importing malicious net shells by the weak /developmentserver/metadatauploader endpoint.
Exploitation has been noticed primarily focusing on manufacturing environments, the place compromised SAP programs may result in important operational disruptions and safety breaches.
The menace actor, tracked as Chaya_004, has been leveraging this vulnerability since a minimum of April 29, 2025, shortly after proof-of-concept exploits turned publicly out there.
Their assault infrastructure closely makes use of Chinese language cloud suppliers, together with Alibaba, Tencent, and Huawei Cloud Companies.
This marketing campaign demonstrates a complicated strategy to infrastructure deployment, with over 700 recognized IP addresses sharing constant configuration patterns.
Forescout researchers recognized the malicious infrastructure after recovering an ELF binary named “config” from one of many assaults.
The binary contained an IP handle internet hosting a SuperShell login interface, which led to the invention of a whole bunch of extra IP addresses sharing uncommon certificates configurations.
The certificates utilized anomalous self-signed properties impersonating Cloudflare with a particular topic DN attribute.
The exploitation sample includes POST requests to the weak endpoint, adopted by the deployment of net shells with names akin to “helper.jsp,” “cache.jsp,” or randomized eight-letter filenames like “ssonkfrd.jsp.”
As soon as established, these backdoors allow attackers to obtain extra malicious payloads utilizing curl instructions, as demonstrated within the following assault sequence:-
POST /developmentserver/metadatauploader HTTP/1.1
Host: [target]
Content material-Kind: multipart/form-data; boundary=—————————9051914041544843365972754266
Content material-Size: [length]
—————————–9051914041544843365972754266
Content material-Disposition: form-data; identify=”file”; filename=”webshell.jsp”
Content material-Kind: software/octet-stream
—————————–9051914041544843365972754266–
The deployed SuperShell backdoors present attackers with complete system entry, permitting them to govern service endpoints, harvest credentials, and probably pivot to extra important SAP parts.
The first backdoor interface was recognized on port 8888 with the distinctive path “/supershell/login” throughout a number of compromised programs.
Organizations working affected SAP variations are strongly urged to use the safety patches launched within the April 2025 Patch Day instantly.
Further really helpful mitigations embrace proscribing entry to metadata uploader companies, disabling unused net companies, and implementing real-time monitoring for anomalous entry to SAP programs, notably outdoors of normal upkeep home windows.
Are you from the SOC and DFIR Groups? – Analyse Actual time Malware Incidents with ANY.RUN -> Begin Now for Free.
