Chinese Hackers Leverage SAP RCE Vulnerability to Install Supershell Backdoors

A critical deserialization vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer 7.x, is being actively exploited in the wild, according to recent research by Forescout.

The flaw allows unauthenticated remote code execution (RCE) via malicious uploads to the /developmentserver/metadatauploader endpoint, giving attackers the power to deploy web shells and take full control of vulnerable SAP servers.

Active Exploitation Threatens SAP

Since late April 2025, evidence has mounted of opportunistic scanning and exploitation attempts against SAP systems in multiple industries, with the most sustained campaigns traced to a Chinese-speaking threat group tracked by Forescout as Chaya_004.

The adversaries have leveraged the vulnerability not only to deploy classic web shells-such as helper.jsp, cache.jsp, or files with random eight-letter names-but also to install sophisticated management backdoors like Supershell, a Go-based remote shell favored among Chinese APT operators.

Forescout’s adversary engagement environments first detected mass scanning on April 29, shortly after public disclosure of the bug and its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Scans targeting the vulnerable endpoint were predominantly sourced from Microsoft and Amazon cloud ASNs, likely reflecting both benign research activity and malicious reconnaissance.

More targeted exploitation was observed in customer environments, especially in the manufacturing sector, where attackers leveraged hosting services and VPNs provided by Scaleway (France), Contabo (Germany), Nubes (US), and ECO TRADE (Poland).

Several of these IPs had histories of credential-stuffing and brute-force attacks in broader campaigns.

Chinese-Linked Infrastructure

Technical analysis of campaign infrastructure revealed a sprawling network of over 500 IPs-many hosted on leading Chinese cloud providers such as Alibaba, Tencent, Huawei, and China Unicom-sharing a distinct self-signed digital certificate profile.

On these servers, researchers identified not just Supershell but an arsenal of penetration testing and asset discovery tools, including NPS (a Chinese-language intranet proxy), SoftEther VPN, NHAS, Cobalt Strike, asset reconnaissance utility ARL, Pocassit vulnerability scanner, Gosint intelligence collector, and bespoke tunnels written in Go.

This toolset, combined with consistent infrastructure patterns, strongly suggests the campaign is orchestrated by a seasoned Chinese threat actor.

Further lateral movement from compromised Visual Composer instances could enable attackers to compromise critical SAP modules, including Gateway, Message Server, or HANA databases, risking major business disruption, data leakage, regulatory violations, and credential theft.

In some environments, defensive scans themselves triggered system crashes-indicating that many SAP environments may be both highly exposed and poorly secured.

Immediate mitigation is imperative. SAP customers are urged to apply official patches released on April 2025 Patch Day for NetWeaver AS Java (versions 7.50–7.52).

Exposure of the vulnerable endpoint should be restricted using firewalls or SAP Web Dispatcher, and the Visual Composer service disabled unless strictly necessary.

Continuous monitoring for suspicious uploads and post-exploitation behavior-especially unusual POST requests and outbound connections-should be implemented.

Forescout has deployed threat detection and intelligence capabilities across its product suite, integrating IoCs and behavioral analytics to help organizations identify, respond to, and mitigate ongoing exploitation.

With active exploitation continuing and the threat landscape rapidly evolving, organizations running SAP NetWeaver Visual Composer are strongly advised to prioritize remediation and enhance monitoring for compromise.

Indicators of Compromise (IoC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates