A Chinese-linked threat actor codenamed Chaya_004 has been exploiting a critical security vulnerability (CVE-2025-31324) in SAP NetWeaver since April 29, 2025. This flaw allows for remote code execution via a vulnerable endpoint, affecting numerous sectors worldwide. Forescout Vedere Labs discovered the actor's infrastructure, which includes a Golang web-based reverse shell named SuperShell. Various threat actors are exploiting this vulnerability, deploying webshells and employing tools like the Brute Ratel C4 platform. Reconnaissance activities started in January 2025, with the first known exploitation on March 12, 2025. Incidents vary across sectors, causing significant concern in cybersecurity.
According to Onapsis, attacks have affected hundreds of SAP systems worldwide, across diverse sectors such as energy, manufacturing, and government.
CVE-2025-31324 allows attackers to execute remote code by uploading webshells via a vulnerable SAP NetWeaver endpoint, highlighting critical security issues.
Collection
[
|
...
]