[[{“value”:”
A critical remote code execution vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324) is being actively exploited by a Chinese threat actor to compromise enterprise systems worldwide.
The vulnerability allows attackers to achieve remote code execution by uploading malicious web shells through the vulnerable /developmentserver/metadatauploader endpoint.
Exploitation has been observed primarily targeting manufacturing environments, where compromised SAP systems could lead to significant operational disruptions and security breaches.
The threat actor, tracked as Chaya_004, has been leveraging this vulnerability since at least April 29, 2025, shortly after proof-of-concept exploits became publicly available.
Their attack infrastructure heavily utilizes Chinese cloud providers, including Alibaba, Tencent, and Huawei Cloud Services.
This campaign demonstrates a sophisticated approach to infrastructure deployment, with over 700 identified IP addresses sharing consistent configuration patterns.
Forescout researchers identified the malicious infrastructure after recovering an ELF binary named “config” from one of the attacks.
The binary contained an IP address hosting a SuperShell login interface, which led to the discovery of hundreds of additional IP addresses sharing unusual certificate configurations.
The certificates utilized anomalous self-signed properties impersonating Cloudflare with a distinctive subject DN attribute.
The exploitation pattern involves POST requests to the vulnerable endpoint, followed by the deployment of web shells with names such as “helper.jsp,” “cache.jsp,” or randomized eight-letter filenames like “ssonkfrd.jsp.”
Once established, these backdoors enable attackers to download additional malicious payloads using curl commands, as demonstrated in the following attack sequence:-
POST /developmentserver/metadatauploader HTTP/1.1
Host: [target]
Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266
Content-Length: [length]
-----------------------------9051914041544843365972754266
Content-Disposition: form-data; name="file"; filename="webshell.jsp"
Content-Type: application/octet-stream
-----------------------------9051914041544843365972754266--The deployed SuperShell backdoors provide attackers with comprehensive system access, allowing them to manipulate service endpoints, harvest credentials, and potentially pivot to more critical SAP components.
The primary backdoor interface was identified on port 8888 with the distinctive path “/supershell/login” across multiple compromised systems.
Organizations running affected SAP versions are strongly urged to apply the security patches released in the April 2025 Patch Day immediately.
Additional recommended mitigations include restricting access to metadata uploader services, disabling unused web services, and implementing real-time monitoring for anomalous access to SAP systems, particularly outside of regular maintenance windows.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post Chinese Hackers Exploit SAP RCE Vulnerability to Upload Supershell Backdoors appeared first on Cyber Security News.
“}]]
Read More Cyber Security News