EclecticIQ analysts have confirmed with high confidence that multiple China-nexus advanced persistent threat (APT) groups exploited a critical zero-day vulnerability in SAP NetWeaver Visual Composer, tracked as CVE-2025-31324, to breach critical infrastructure and enterprise networks globally.
This unauthenticated file upload flaw grants attackers remote code execution (RCE) capabilities, enabling deep system compromise and persistent access.
Evidence was uncovered via open directories on attacker-controlled infrastructure, revealing comprehensive logs from at least 581 successfully breached SAP NetWeaver systems.
Unauthenticated Exploitation of CVE-2025-31324
The campaign-attributed to Chinese state-linked units UNC5221, UNC5174, and CL-STA-0048, as corroborated by threat intelligence from Mandiant and Palo Alto Networks-illustrates a sophisticated strategy for infiltrating high-value targets.
The attackers conducted extensive internet-wide scanning, leveraging reconnaissance tools like Nuclei to identify and compromise vulnerable endpoints.
C2 infrastructure, notably at IP 15.204.56[.]106, hosted logs and exploit results, exposing the campaign’s extensive operational scope.
Post-exploitation, the threat actors deployed custom webshells-including coreasp.js (an AES/ECB-encrypted Behinder variant with in-memory payload execution) and forwardsap.jsp (a minimalistic, unauthenticated shell for rapid command execution).
According to ElecticIQ Report, these implants enabled interactive remote command execution while evading file-based detection through fileless techniques and obfuscation.
Both shells were observed uploaded after a POST request to the vulnerable /developmentserver/metadatauploader API endpoint, providing adversaries with durable persistence.
China-Aligned Groups Target Enterprise
Victimology indicates a calculated focus on sectors vital to public welfare and national security, such as UK natural gas and water utilities, US medical device manufacturers and oil exploration firms, and Saudi government ministries.
The attackers’ persistence within SAP NetWeaver-often interconnected with core industrial control systems (ICS)-raises significant concerns about the potential for lateral movement, espionage, and large-scale disruption.
Specific APT activity included:
- CL-STA-0048: Leveraged TCP reverse shells and DNS beaconing to establish control over compromised hosts, with traffic routed to the domain sentinelones[.]com (43.247.135[.]53). Analysts observed command execution for shell establishment and DNS-based exploitation confirmation.
- UNC5221: Utilized the KrustyLoader malware, downloaded from attacker-controlled Amazon S3 buckets, to deliver Sliver backdoors and maintain stealthy persistence. KrustyLoader’s Rust implementation complicates analysis and facilitates the deployment of additional payloads.
- UNC5174: Deployed a sophisticated infection chain starting with the SNOWLIGHT downloader, which retrieved the open-source VShell RAT for memory-resident remote control. Live payload delivery was accomplished via Bash scripts executed through SAP webshell endpoints.
The attackers combined system enumeration (e.g., arp -a, /etc/hosts parsing), network mapping, and exploitation of cloud-connected assets (including AWS workloads and Entra ID identities) to expand their foothold.
Many compromised SAP systems were inadequately segmented, running on VMware ESXi hypervisors, magnifying the threat of rapid lateral movement.
Immediate patch application (SAP Security Note #3594142) is critical. Where patching is infeasible, SAP’s prescribed workarounds must be employed, notably the removal of vulnerable metadata upload components and strict restriction of API endpoint exposure.
Organizations should implement comprehensive threat hunting across file systems, web access logs, and process telemetry, with special attention to unauthorized webshell uploads and suspicious outbound network connections to identified campaign infrastructure.
Indicators of Compromise (IOC)
| Threat Actor/Cluster | IOC Type | Value/Details |
|---|---|---|
| Unattributed China Nexus (scanning C2) | IP | 15.204.56[.]106 |
| SHA256 | 4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d | |
| SHA256 | 63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd | |
| CL-STA-0048 (reverse shell/DNS beaconing) | IP/Domain | 43.247.135[.]53 (sentinelones[.]com, TCP 10443) |
| Domain | aaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com | |
| IPs | 54.77.139[.]23, 3.248.33[.]252 | |
| UNC5221 (KrustyLoader malware) | S3 domains | applr-malbbal.s3.ap-northeast-2.amazonaws[.]com |
| S3 domains | abode-dashboard-media.s3.ap-south-1.amazonaws[.]com | |
| S3 domains | brandnav-cms-storage.s3.amazonaws[.]com | |
| SHA256 | f92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec | |
| SHA256 | 3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce | |
| UNC5174 (SNOWLIGHT/VShell/GOREVERSE) | IP | 103.30.76[.]206 (TCP 443) |
| SHA256 | 00920e109f16fe61092e70fca68a5219ade6d42b427e895202f628b467a3d22e | |
| SHA256 | 2dcbb4138f836bb5d7bc7d8101d3004848c541df6af997246d4b2a252f29d51a | |
| Aliyun object | ocr-freespace.oss-cn-beijing.aliyuncs.com/2025/config.sh | |
| General (victim SAP systems) | IPs (examples) | 45.155.222[.]14, 159.65.34[.]242, 138.68.61[.]82, 192.243.115[.]175 |
| Webshell files | helper.jsp, forwardsap.jsp, coreasp.js, .webhelper.jsp, 404_error.jsp |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
