China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastruc
Summary:
In April 2025, EclecticIQ analysts reported with high confidence that Chinese nation-state APTs launched widespread exploitation campaigns targeting SAP NetWeaver Visual Composer by leveraging CVE-2025-31324, a remote code execution vulnerability. These intrusions were attributed to known Chinese-linked threat clusters, including UNC5221, UNC5174, and CL-STA-0048, based on attack patterns and corroborated by findings from Mandiant and Palo Alto Networks. The exploitation infrastructure included an open directory on an attacker-controlled server, revealing logs and reconnaissance data gathered using Nuclei. Files found on the server documented the successful compromise of 581 SAP NetWeaver instances and listed over 1,800 additional domains as future targets.
The campaigns utilized two main Webshells, a sophisticated encrypted backdoor resembling Behinder and forwardsap[.]jsp, a lightweight alternative for executing commands, both deployed via the vulnerable /developmentserver/metadatauploader endpoint. These tools provided attackers with stealthy, persistent remote access across affected networks. Victimology analysis revealed a clear strategic targeting of critical infrastructure across the United Kingdom,the United States, and Saudi Arabia, including water utilities, oil exploration, government ministries, and medical manufacturing. The goal appeared to be persistent access and potential disruption of essential services.
CL-STA-0048 was linked to active command-and-control operations through DNS beaconing and reverse shell access. Analysts observed communications with attacker infrastructure and noted reverse shell traffic to an IP using Bash-based payloads. DNS-based pings were also used to confirm successful exploitation, reinforcing attribution to CL-STA-0048. This actor shares infrastructure and methods with previous attacks involving Ivanti vulnerabilities, suggesting continuity in tactics.
Security Officer Comments:
Post-compromise, threat actors conducted extensive reconnaissance using nearly 5,000 remote commands across infected systems, mapping SAP-specific services and nearby hosts. These operations revealed that many victims ran unsegmented VMware ESXi hypervisors, raising risks of lateral movement to sensitive assets. EclecticIQ concluded that Chinese-aligned APTs are strategically focused on compromising widely used enterprise applications such as SAP NetWeaver to gain long-term, high-privilege access to enterprise environments. This includes infiltration into cloud services, hypervisors, and operational technologies, enabling espionage, persistent surveillance, and the potential for disruptive actions during geopolitical tensions.
Suggested Corrections:
Prevention Strategies
Detection and Threat Hunting Strategies can be found here along with IOCs published by EclecticIQ.
Link(s):
https://blog.eclecticiq.com/china-n...2025-31324-to-target-critical-infrastructures
In April 2025, EclecticIQ analysts reported with high confidence that Chinese nation-state APTs launched widespread exploitation campaigns targeting SAP NetWeaver Visual Composer by leveraging CVE-2025-31324, a remote code execution vulnerability. These intrusions were attributed to known Chinese-linked threat clusters, including UNC5221, UNC5174, and CL-STA-0048, based on attack patterns and corroborated by findings from Mandiant and Palo Alto Networks. The exploitation infrastructure included an open directory on an attacker-controlled server, revealing logs and reconnaissance data gathered using Nuclei. Files found on the server documented the successful compromise of 581 SAP NetWeaver instances and listed over 1,800 additional domains as future targets.
The campaigns utilized two main Webshells, a sophisticated encrypted backdoor resembling Behinder and forwardsap[.]jsp, a lightweight alternative for executing commands, both deployed via the vulnerable /developmentserver/metadatauploader endpoint. These tools provided attackers with stealthy, persistent remote access across affected networks. Victimology analysis revealed a clear strategic targeting of critical infrastructure across the United Kingdom,the United States, and Saudi Arabia, including water utilities, oil exploration, government ministries, and medical manufacturing. The goal appeared to be persistent access and potential disruption of essential services.
CL-STA-0048 was linked to active command-and-control operations through DNS beaconing and reverse shell access. Analysts observed communications with attacker infrastructure and noted reverse shell traffic to an IP using Bash-based payloads. DNS-based pings were also used to confirm successful exploitation, reinforcing attribution to CL-STA-0048. This actor shares infrastructure and methods with previous attacks involving Ivanti vulnerabilities, suggesting continuity in tactics.
Security Officer Comments:
Post-compromise, threat actors conducted extensive reconnaissance using nearly 5,000 remote commands across infected systems, mapping SAP-specific services and nearby hosts. These operations revealed that many victims ran unsegmented VMware ESXi hypervisors, raising risks of lateral movement to sensitive assets. EclecticIQ concluded that Chinese-aligned APTs are strategically focused on compromising widely used enterprise applications such as SAP NetWeaver to gain long-term, high-privilege access to enterprise environments. This includes infiltration into cloud services, hypervisors, and operational technologies, enabling espionage, persistent surveillance, and the potential for disruptive actions during geopolitical tensions.
Suggested Corrections:
Prevention Strategies
- Apply SAP Security Note #3594142 immediately on all affected systems (SAP NetWeaver 7.1x with VCFRAMEWORK).
- If patching is not possible, implement the recommended workaround from SAP Note #3593336:
- Complete removal of sap.com/devserver_metadataupload_ear.
- Restrict access to /developmentserver/metadatauploader to internal, authenticated IP ranges.
- Block unauthenticated or public network access via WAF/firewall rules.
Detection and Threat Hunting Strategies can be found here along with IOCs published by EclecticIQ.
Link(s):
https://blog.eclecticiq.com/china-n...2025-31324-to-target-critical-infrastructures