SAP NetWeaver Vulnerability: Critical Remote Code Execution Flaw Actively Exploited by Chinese Hackers

A critical zero-day vulnerability in SAP NetWeaver, identified as CVE-2025-31324, has been actively exploited by Chinese threat actors since early 2025. This vulnerability affects the Visual Composer component of SAP NetWeaver Application Server Java systems and allows attackers to upload arbitrary files through a susceptible “/developmentserver/metadatauploader” endpoint, resulting in remote code execution.

With a maximum CVSS score of 10.0, this vulnerability represents the most severe security risk possible, allowing unauthenticated attackers to gain complete control over affected systems without requiring any user interaction.

 Severity: Maximum Impact

The severity of this vulnerability cannot be overstated:

• It allows for complete system compromise without authentication
• It provides attackers with full access at the <sid>adm operating system level
• It enables threat actors to access all SAP resources, including the SAP system database without restrictions
• It creates a foothold that can be used to pivot to other systems in your network
• It has the potential to lead to ransomware deployment, financial record manipulation, data theft, and critical business disruption

 The Exploitation: Simple Method, Devastating Results

The exploitation method is alarmingly straightforward. Attackers target the /developmentserver/metadatauploader URL by sending carefully crafted HTTP requests (GET, POST, or HEAD). No authentication is required, making this vulnerability particularly dangerous.

Upon successful exploitation, attackers upload web shells – small malicious scripts that establish persistent access and allow them to execute arbitrary commands on the compromised system. Common web shell filenames observed in these attacks include “helper.jsp”, “cache.jsp”, “coresap.jsp”, “webhelp.jsp”, and various hidden variants.

The simplicity of exploitation combined with the critical impact has made this vulnerability a prime target for widespread attacks.

 The Threat Actors: Chinese Hackers Lead the Charge

A China-linked threat actor dubbed “Chaya_004” has been observed exploiting this vulnerability since at least April 29, 2025. According to security researchers at Forescout Vedere Labs, this group has deployed a Golang-based reverse shell called “SuperShell” on compromised systems.

The attackers’ infrastructure hosts various hacking tools, including:

• NPS (proxy server)
• SoftEther VPN
• Cobalt Strike (penetration testing tool often used maliciously)
• Asset Reconnaissance Lighthouse (ARL)
• Pocassist (vulnerability scanning tool)
• GOSINT (intelligence gathering framework)
• GO Simple Tunnel

The use of Chinese cloud providers and Chinese-language tools strongly suggests that the threat actor is based in China.

While the original attackers appear to have gone quiet as of late April, security researchers warn that their exploits have likely been captured and could be used in future attacks by other threat actor groups. Additionally, many opportunistic attackers are now using publicly available information to trigger exploitation and abuse web shells placed by the original attackers.

 Organizations at Risk: Widespread Impact

The impact of this vulnerability extends across industries and geographies. According to security researchers, hundreds of SAP systems globally have fallen victim to attacks spanning:

• Energy and utilities
• Manufacturing
• Media and entertainment
• Oil and gas
• Pharmaceuticals
• Retail
• Government organizations

Any organization running SAP NetWeaver with the Visual Composer component installed is at risk. While this component is not installed by default, it is widely enabled across existing SAP NetWeaver Application Server Java systems due to its utility in helping business process specialists develop business components without coding.

Research indicates this component is installed and enabled in at least 50% of Java systems, with some estimates suggesting the percentage could be as high as 70%.

 Remediation: Critical Actions Required

If your organization uses SAP systems, immediate action is required:

1. Apply the official patch: SAP has released Security Note #3594142 with hot fix support packages to address the vulnerability. This is the most effective long-term solution.
2. Implement mitigations if patching isn’t immediately possible:
   • Remove the vulnerable application entirely (SAP’s recommended workaround)
   • Disable the vulnerable endpoint
   • Stop the Visual Composer service if not in use
3. Check for compromise:
   • Scan for suspicious files (especially .jsp, .java, or .class files) in key directories
   • Monitor for unusual network traffic or system behavior
   • Use available tools like YARA rules and open-source scanners to identify indicators of compromise
4. Restrict network access:
   • Implement strict network segmentation
   • Limit access to SAP systems, especially from the Internet
   • Use Web Application Firewalls with appropriate rule sets

 How CinchOps Can Help Secure Your Business

In this critical time of active exploitation, your business needs expert guidance and support to secure your SAP environment. CinchOps offers comprehensive SAP security services tailored to address this specific threat and strengthen your overall security posture:

1. Emergency Patching Support: We’ll assist your team in applying the critical patches correctly, ensuring your systems are protected while minimizing business disruption.
2. Network Security Hardening: We’ll help implement proper network segmentation and access controls to protect your SAP environment from both external and internal threats.
3. Ongoing Monitoring and Protection: Our managed security services provide continuous monitoring of your SAP systems, detecting and responding to suspicious activities before they become major incidents.
4. 24/7 Monitoring and Response: CinchOps continuously monitors your network for suspicious activities, providing immediate response to potential threats.
5. Security Policy Implementation: We help establish strong security policies, including password management and remote access controls.
6. Regular Security Updates: We ensure all your network devices receive timely security patches and firmware updates to maintain protection against emerging threats.

Don’t wait until your critical business systems are compromised. Contact CinchOps today for a comprehensive SAP security assessment and protect your organization from this severe threat. Our team of experienced IT professionals understands the unique challenges of securing complex SAP environments and can provide the guidance and support you need to maintain business continuity in the face of these sophisticated attacks.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Securing Your Digital Identity: Key Insights from Cisco Talos 2024 Year in Review
For Additional Information on this topic: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell

FREE CYBERSECURITY ASSESSMENT