Chinese Hackers Exploit SAP NetWeaver RCE Flaw

A China-linked threat actor, dubbed Chaya_004, has been observed exploiting a recently disclosed security flaw in SAP NetWeaver. This vulnerability, identified as CVE-2025-31324, allows for remote code execution (RCE) and has been actively exploited since late April 2025.

Discovery and Analysis of the Vulnerability

Forescout Vedere Labs published a report detailing the malicious infrastructure associated with the hacking group weaponizing CVE-2025-31324. This critical flaw in SAP NetWeaver allows attackers to achieve remote code execution by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint. The vulnerability has a CVSS score of 10.0, indicating its severity.

CVE-2025-31324: A Deep Dive

CVE-2025-31324 is a critical vulnerability that resides within the SAP NetWeaver platform. SAP NetWeaver is a widely used platform that serves as the foundation for many SAP applications, providing essential services such as application server functionality, enterprise service bus capabilities, and identity management. The vulnerability specifically affects the "/developmentserver/metadatauploader" endpoint, which is intended for uploading metadata related to development activities.

The flaw allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server. Web shells are malicious scripts that enable attackers to execute commands on the compromised system remotely. By exploiting this vulnerability, attackers can gain complete control over the SAP NetWeaver system, potentially leading to data breaches, system disruptions, and further lateral movement within the network.

Real-World Exploitation and Impact

ReliaQuest first flagged the vulnerability in late April 2025, noting that it was being actively abused in real-world attacks. Threat actors were observed dropping web shells and the Brute Ratel C4 post-exploitation framework onto compromised systems.

Onapsis, a cybersecurity firm specializing in SAP security, reported that hundreds of SAP systems globally have fallen victim to these attacks. The affected industries span a wide range, including:

• Energy and utilities
• Manufacturing
• Media and entertainment
• Oil and gas
• Pharmaceuticals
• Retail
• Government organizations

Onapsis also observed reconnaissance activity involving testing with specific payloads against this vulnerability as far back as January 20, 2025. Successful compromises involving the deployment of web shells were observed between March 14 and March 31.

The Brute Ratel C4 Framework

The Brute Ratel C4 (Command and Control) framework is an advanced post-exploitation tool used by threat actors to maintain persistence, move laterally within a network, and execute malicious commands. Unlike traditional penetration testing tools, Brute Ratel is designed to evade detection by endpoint detection and response (EDR) systems and other security solutions.

The framework's key features include:

• Advanced evasion techniques: Brute Ratel employs various techniques to bypass security controls, such as process injection, memory manipulation, and anti-forensic measures.
• Customizable payloads: The framework allows attackers to create custom payloads tailored to specific targets and environments.
• Stealth communication: Brute Ratel uses encrypted communication channels and covert communication methods to avoid detection.
• Lateral movement capabilities: The framework provides tools for attackers to move laterally within a network, compromising additional systems and escalating privileges.

The deployment of Brute Ratel C4 in conjunction with the SAP NetWeaver vulnerability highlights the sophistication and potential impact of these attacks.

The Rise of Opportunistic Exploitation

In recent days, multiple threat actors have reportedly joined the exploitation bandwagon, opportunistically targeting vulnerable systems to deploy web shells and even mine cryptocurrency. This surge in exploitation activity underscores the urgency for organizations to patch their SAP NetWeaver systems and implement appropriate security measures.

Technical Details of the Attack

The attack typically unfolds in the following stages:

1. Reconnaissance: The attacker scans the internet for vulnerable SAP NetWeaver systems using automated tools and techniques.
2. Exploitation: The attacker exploits the CVE-2025-31324 vulnerability by sending a specially crafted request to the "/developmentserver/metadatauploader" endpoint. This request contains a malicious payload, such as a web shell.
3. Web Shell Deployment: The SAP NetWeaver system processes the malicious request and deploys the web shell to a publicly accessible directory.
4. Command Execution: The attacker accesses the web shell through a web browser and uses it to execute arbitrary commands on the compromised system.
5. Post-Exploitation: The attacker performs post-exploitation activities, such as gathering sensitive information, installing malware, and moving laterally within the network.

Example Attack Scenario

Consider a scenario where an attacker identifies a vulnerable SAP NetWeaver system belonging to a manufacturing company. The attacker crafts a malicious request containing a web shell and sends it to the "/developmentserver/metadatauploader" endpoint. The SAP NetWeaver system processes the request and deploys the web shell to a directory accessible via the web.

The attacker then accesses the web shell through a web browser and uses it to execute commands on the compromised system. The attacker may start by gathering information about the system, such as the operating system version, installed software, and network configuration. The attacker may then attempt to access sensitive data, such as customer records, financial information, or intellectual property.

In a more advanced scenario, the attacker may use the compromised system as a staging ground for further attacks. The attacker may install malware, such as keyloggers or ransomware, to compromise additional systems within the network. The attacker may also attempt to move laterally to other systems, such as domain controllers or database servers, to gain broader access to the organization's resources.

Mitigation Strategies

To mitigate the risk of exploitation, organizations should take the following steps:

• Apply the latest security patches: SAP has released security patches to address the CVE-2025-31324 vulnerability. Organizations should apply these patches as soon as possible to protect their systems.
• Disable or restrict access to the "/developmentserver/metadatauploader" endpoint: If the endpoint is not required for legitimate business purposes, it should be disabled. If it is required, access should be restricted to authorized users only.
• Implement web application firewall (WAF) rules: WAFs can be used to detect and block malicious requests targeting the "/developmentserver/metadatauploader" endpoint.
• Monitor SAP NetWeaver systems for suspicious activity: Organizations should implement security monitoring tools and techniques to detect and respond to suspicious activity on their SAP NetWeaver systems.
• Conduct regular security assessments: Organizations should conduct regular security assessments, such as penetration testing and vulnerability scanning, to identify and address security weaknesses in their SAP NetWeaver environments.
• Implement a robust incident response plan: Organizations should have a well-defined incident response plan in place to respond to security incidents involving their SAP NetWeaver systems.

Advanced Security Measures

In addition to the basic mitigation strategies, organizations should consider implementing more advanced security measures to protect their SAP NetWeaver environments. These measures include:

• Network segmentation: Segmenting the network can help to isolate SAP NetWeaver systems from other parts of the network, limiting the potential impact of a successful attack.
• Multi-factor authentication (MFA): Implementing MFA can help to prevent unauthorized access to SAP NetWeaver systems, even if an attacker has obtained a valid username and password.
• Data loss prevention (DLP): DLP solutions can help to prevent sensitive data from being exfiltrated from SAP NetWeaver systems.
• Security information and event management (SIEM): SIEM systems can help to aggregate and analyze security logs from SAP NetWeaver systems, providing valuable insights into potential security threats.

The Importance of Proactive Security

The exploitation of the SAP NetWeaver vulnerability highlights the importance of proactive security measures. Organizations cannot afford to wait for attacks to occur before taking action. They must implement a comprehensive security strategy that includes vulnerability management, security monitoring, and incident response.

By taking a proactive approach to security, organizations can significantly reduce their risk of being compromised by cyber attacks. This includes staying informed about the latest security threats, implementing appropriate security controls, and continuously monitoring their systems for suspicious activity.

Conclusion

The exploitation of the SAP NetWeaver RCE flaw (CVE-2025-31324) by Chinese hackers underscores the critical need for organizations to prioritize SAP security. The vulnerability allows attackers to gain remote code execution by uploading web shells, leading to widespread compromises across various industries. By applying the latest security patches, implementing appropriate security measures, and monitoring their systems for suspicious activity, organizations can significantly reduce their risk of being compromised.

The incident also highlights the importance of collaboration between security vendors, researchers, and organizations. By sharing information about security threats and vulnerabilities, the security community can work together to protect against cyber attacks.