China-Linked APTs Target 581 Critical Systems Worldwide Using SAP Vulnerability CVE-2025-31324

May 13, 2025
Vulnerability / Threat Intelligence

A newly identified critical security vulnerability in SAP NetWeaver is being exploited by several nation-state actors linked to China to infiltrate vital infrastructure networks. “Threat actors are taking advantage of CVE-2025-31324, an unauthenticated file upload vulnerability that allows for remote code execution (RCE),” stated EclecticIQ researcher Arda Büyükkaya in a recent analysis. Targets include natural gas distribution, water and waste management utilities in the UK, medical device manufacturing facilities, oil and gas companies in the U.S., and investment and financial regulation ministries in Saudi Arabia. This assessment is based on a publicly accessible directory found on compromised attacker-controlled infrastructure (15.204.56[.]106), which contained event logs detailing activities across numerous breached systems.

China-Affiliated APTs Target 581 Critical Systems via SAP CVE-2025-31324 Exploit

May 13, 2025
Vulnerability / Threat Intelligence

A newly revealed severe security vulnerability in SAP NetWeaver is being actively exploited by various state-sponsored actors with links to China, posing significant risks to critical infrastructure networks globally. Researchers, including EclecticIQ’s Arda Büyükkaya, have identified the exploitation of CVE-2025-31324, a vulnerability that allows unauthenticated file uploads, thereby enabling remote code execution (RCE) on compromised systems.

The targets of this sophisticated campaign encompass a range of essential sectors, including natural gas distribution systems, water utilities, and waste management services in the United Kingdom. In the United States, medical device manufacturing plants and oil and gas firms are under threat, while Saudi Arabian government ministries responsible for investment strategy and financial regulations are also on the list. This extensive targeting highlights the vulnerability’s potential to disrupt not only individual companies but also entire sectors critical to national security and public welfare.

The intelligence regarding these attacks originates from a publicly accessible directory on an infrastructure controlled by the attackers, specifically linked to the IP address “15.204.56[.]106.” This repository contained event logs detailing the activities conducted across numerous compromised systems, offering a rare glimpse into the operational tactics employed by these adversaries.

Analysis of the attack suggests that multiple tactics and techniques from the MITRE ATT&CK framework were likely employed by the actors. Initial access could have been achieved through phishing or exploitation of the SAP vulnerability itself. Following this, perpetrators may have established persistence on affected systems to maintain control, while leveraging privilege escalation techniques to gain elevated access necessary for further action.

The ongoing exploitation of this vulnerability underscores the critical need for organizations utilizing SAP NetWeaver to bolster their cybersecurity measures. As nation-state threats continue to evolve, the imperative for robust risk management strategies becomes increasingly urgent.

Business owners must remain vigilant and informed about the potential risks associated with such vulnerabilities. Implementing comprehensive monitoring solutions and regular security assessments can mitigate risks associated with critical infrastructure attacks, ensuring operational integrity and stakeholder confidence amidst a challenging cyber landscape.

As this situation develops, further updates will emerge, and organizations are advised to stay updated on the latest cybersecurity protocols to safeguard against similar threats in the future.

Source link

Related Posts

Ivanti Addresses EPMM Vulnerabilities Leading to Remote Code Execution in Select Attacks

May 14, 2025
Vulnerability / Endpoint Security

Ivanti has issued security updates to remedy two vulnerabilities in its Endpoint Manager Mobile (EPMM) software, which have been exploited in limited attacks for remote code execution. The vulnerabilities include:

  • CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass that enables attackers to access protected resources without valid credentials.
  • CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability allowing arbitrary code execution on affected systems.

Exploiting these vulnerabilities could allow an attacker to chain them together to execute arbitrary code on a compromised device without authentication. The affected versions of the product are:

  • 11.12.0.4 and earlier (fixed in 11.12.0.5)
  • 12.3.0.1 and earlier (fixed in 12.3.0.2)
  • 12.4.0.1 and earlier (fixed in 12.4.0.2)
  • 12.5.0.0 and earlier (fixed in 12.5.0.1)

Ivanti has credited CERT-EU for reporting these vulnerabilities.

Fortinet Addresses CVE-2025-32756: Critical Zero-Day RCE Vulnerability in FortiVoice Systems

May 14, 2025
Vulnerability / Network Security

Fortinet has issued a fix for a severe security vulnerability exploited as a zero-day in attacks against FortiVoice enterprise phone systems. Identified as CVE-2025-32756, this flaw has a high CVSS score of 9.6 out of 10.0. According to the company’s advisory, “A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may enable a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.” Fortinet has confirmed that the flaw has been actively exploited in the wild within FortiVoice systems, although details regarding the scope of the attacks and the identities of the attackers remain undisclosed. Notably, the attacker engaged in network scans of devices, deleted system crash logs, and enabled FCGI debugging to capture credentials from the system and SSH login attempts. The vulnerability impacts the following products and versions: FortiCamera 1.1, 2.0 (Update to a secure release recommended).