Post

Critical SAP Vulnerability Exploited by Chinese Hackers for SuperShell Deployment

Posted
By Tom Grant
1 min read
Critical SAP Vulnerability Exploited by Chinese Hackers for SuperShell Deployment

TL;DR

Chinese hackers have been exploiting a critical flaw in SAP NetWeaver to deploy a Golang-based SuperShell. The vulnerability, CVE-2025-31324, has a CVSS score of 10.0 and has been actively weaponized by the threat actor group Chaya_004. The exploitation was uncovered by Forescout Vedere Labs.

Chinese Hackers Exploit Critical SAP Vulnerability

A China-linked threat actor group, identified as Chaya_004, has been observed exploiting a critical security flaw in SAP NetWeaver, according to a recent report published by Forescout Vedere Labs1. The vulnerability, designated as CVE-2025-31324, carries a CVSS score of 10.0, indicating its severe nature.

Details of the Exploitation

On April 29, 2025, Forescout Vedere Labs discovered a malicious infrastructure likely associated with Chaya_004. This infrastructure was used to weaponize the CVE-2025-31324 vulnerability, allowing the attackers to deploy a Golang-based SuperShell. This SuperShell provides the hackers with extensive control over affected systems, posing significant risks to organizations using SAP NetWeaver.

Understanding CVE-2025-31324

CVE-2025-31324 is a critical remote code execution (RCE) flaw in SAP NetWeaver. This vulnerability allows attackers to execute arbitrary code on the affected server, potentially leading to full system compromise. The high CVSS score of 10.0 underscores the urgency for organizations to address this vulnerability.

Impact and Mitigation

The exploitation of CVE-2025-31324 can have severe consequences for organizations, including data breaches, system disruptions, and potential financial losses. To mitigate this risk, it is crucial for organizations to:

  • Apply the Latest Patches: Ensure that all SAP NetWeaver systems are updated with the latest security patches.
  • Monitor for Suspicious Activity: Implement robust monitoring to detect any unusual activity that may indicate an exploitation attempt.
  • Conduct Regular Security Audits: Perform regular security audits to identify and address potential vulnerabilities.

Conclusion

The exploitation of CVE-2025-31324 by Chinese hackers highlights the ongoing threat posed by advanced cyber adversaries. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against such threats.

Additional Resources

For further insights, check:

References

  1. The Hacker News (2025). “Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell”. The Hacker News. Retrieved 2025-05-09. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity sap vulnerabilities
This post is licensed under CC BY 4.0 by the author.