Forescout Vedere Labs has identified a Chinese threat actor, known as Chaya_004, as responsible for recent attacks on SAP NetWeaver servers.

CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, mandating U.S. federal agencies to secure their systems by May 20, 2025.

Attackers have uploaded JSP web shells to public directories and utilized advanced tools like Brute Ratel during post-exploitation, even on fully patched servers.

The attacks exploit a critical vulnerability, CVE-2025-31324, which has a CVSS score of 10.0, allowing remote code execution through unauthenticated file uploads.

Onyphe's CTO noted that around 20 Fortune 500 companies are at risk, with 1,284 instances exposed online and 474 already compromised.

To effectively mitigate the threat, it is essential for users to apply patches, restrict access to vulnerable endpoints, and disable unnecessary services.

Chaya_004 employs infrastructure from major Chinese providers like Alibaba and Tencent, indicating a sophisticated and coordinated attack effort.

Mandiant confirmed that exploitation attempts began as early as March 12, 2025, with successful attacks resulting in web shell deployments by the end of March.

The vulnerability's deserialization flaw enables attackers to deploy web shells and gain control over vulnerable SAP systems.

SAP released an emergency patch for this vulnerability on April 24, 2025, but many systems remain unpatched and vulnerable.

Onapsis reported that numerous SAP systems across various sectors, including energy and pharmaceuticals, have been compromised, with evidence of exploitation dating back to January 20, 2025.

Forescout has advised SAP administrators to immediately patch their systems, restrict access to vulnerable services, and monitor for suspicious activity.