A recent report has identified a China-linked threat actor, referred to as Chaya_004, actively exploiting a critical vulnerability in SAP NetWeaver. This attack leverages the flaw CVE-2025-31324, which has been assigned a maximum CVSS score of 10.0. The malicious activity linked to this actor has been ongoing since April 29, 2025, according to Forescout Vedere Labs.
The vulnerability in question allows unauthorized users to perform remote code execution (RCE) through a compromised endpoint, specifically the “/developmentserver/metadatauploader” route. This flaw was initially reported by ReliaQuest, which found evidence of its exploitation in real-world scenarios where web shells and post-exploitation frameworks were employed.
Onapsis, a cybersecurity firm, indicated that hundreds of SAP systems across diverse sectors—including energy, manufacturing, media, pharmaceuticals, and government—have suffered attacks related to this vulnerability. The firm detected signs of reconnaissance activity as early as January 20, 2025, with successful breaches recorded shortly after. Mandiant, another cybersecurity entity involved in incident responses, corroborated that the first known exploitation was observed on March 12, 2025.
In recent developments, multiple threat actors have capitalized on this vulnerability, targeting systems to deploy web shells and engage in cryptocurrency mining. Chaya_004’s operations include hosting a web-based reverse shell known as SuperShell on a specific IP address. This shell is part of a broader toolkit used by the threat actor, suggesting an organized approach to the exploitation.
Forescout’s findings revealed that the actor has utilized various tools across their operations, including NPS, SoftEther VPN, Cobalt Strike, and others. The use of several Chinese-language tools and hosting on Chinese cloud providers suggests a likely origin of these activities in China. Ongoing monitoring of the metadata uploader endpoint and the disabling of unused services, such as Visual Composer, are recommended to mitigate risks.
Employing the MITRE ATT&CK framework can provide context on the potential tactics employed during these assaults, such as initial access through exploitation of the vulnerability, persistence via web shells, and potential privilege escalation through deployed malware. These tactics emphasize the need for proactive security measures.
Onapsis’s CTO emphasized that the findings by Forescout highlight ongoing threats post-patch, suggesting that both opportunistic and advanced threat actors are adapting quickly to exploit existing vulnerabilities. This scenario underscores the critical importance of businesses maintaining robust cybersecurity hygiene through timely updates, vigilant monitoring, and immediate remediation of identified threats.
