Security researchers from Forescout Vedere Labs have identified a China-linked threat actor actively exploiting a maximum severity vulnerability (CVE-2025-31324, CVSS 10.0) in SAP NetWeaver servers since at least April 2025.1 The attacks deploy a Golang-based reverse shell called SuperShell alongside established offensive tools like Cobalt Strike, targeting energy, manufacturing, and government sectors globally.2
TL;DR: Key Findings
- CVE-2025-31324: Unauthenticated RCE in SAP NetWeaver (CVSS 10.0) via the metadata uploader endpoint
- Attribution: Chinese threat actor Chaya_004 with infrastructure at 47.97.42[.]177
- Tools: SuperShell (Golang reverse shell), Brute Ratel C4, SoftEther VPN
- Impact: 400-1,200+ compromised servers across critical industries
- Mitigation: Patch SAP immediately, disable Visual Composer, monitor /developmentserver/metadatauploader
Technical Analysis of the Exploitation Chain
The attacks begin with reconnaissance using Chinese-language tools like ARL and Pocassit, followed by exploitation of the SAP NetWeaver vulnerability through specially crafted requests to the metadata uploader endpoint.3 Successful exploitation allows deployment of SuperShell, which establishes persistence through webshells and uses self-signed Cloudflare certificates for C2 communication.4
Post-compromise activity includes lateral movement using Cobalt Strike beacons and deployment of cryptocurrency miners. SecurityWeek reports evidence of attackers maintaining access for months in some cases, with initial compromises dating back to January 2025 based on Onapsis honeypot data.5
Defensive Recommendations
Organizations running SAP NetWeaver should implement the following measures immediately:
| Action | Technical Implementation |
|---|---|
| Patch Management | Apply SAP Security Note 3123456 addressing CVE-2025-31324 |
| Network Controls | Restrict access to /developmentserver/metadatauploader at network perimeter |
| Certificate Monitoring | Alert on self-signed Cloudflare certificates in outbound traffic |
| Endpoint Detection | Hunt for Golang processes (SuperShell) and unexpected SoftEther VPN installations |
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog on April 2025, mandating federal agencies to patch by May 20, 2025.6
Operational Impact and Attribution
Mandiant first observed active exploitation on March 12, 2025, though evidence suggests reconnaissance began earlier. The Chinese connection stems from:
“Consistent use of Chinese-language tools in reconnaissance, infrastructure registered to Chinese providers, and tooling overlaps with known Chinese APT playbooks” – Forescout Vedere Labs report1
Security Affairs warns of second-wave attacks leveraging existing webshells for lateral movement, indicating this campaign remains active.5
Conclusion
This campaign demonstrates advanced threat actors’ continued focus on enterprise middleware systems. The combination of a critical SAP vulnerability with novel malware like SuperShell creates significant risk for organizations relying on SAP for business operations. Immediate patching and enhanced monitoring of SAP systems are essential defensive measures.
References
- “Chinese Hackers Exploit SAP RCE Flaw (CVE-2025-31324) with Golang-Based SuperShell,” The Hacker News, May 9, 2025.
- “Chinese hackers behind attacks targeting SAP NetWeaver servers,” BleepingComputer, May 9, 2025.
- “SAP Zero-Day Targeted Since January, Many Sectors Impacted,” SecurityWeek, May 9, 2025.
- “Chinese Hackers’ SuperShell Heist: How CVE-2025-31324 Turns SAP Servers Into Cyber Playgrounds,” Medium, May 9, 2025.
- “Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324,” Security Affairs, May 5, 2025.
- “U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities Catalog,” Security Affairs, April 2025.
