HQ/EMEAFind out how we can help your business
A China-linked unidentified threat actor named Chaya_004 has been identified as exploiting a freshly revealed SAP RCE flaw.
A report released today stated that researchers found malicious infrastructure likely connected to the hacking group utilising CVE-2025-31324 since April.
The SAP NetWeaver vulnerability enables attackers to execute remote code (RCE) by uploading web shells through a vulnerable “/developmentserver/metadatauploader” endpoint.
This flaw was first reported late last month, discovering that unidentified threat actors were exploiting this weakness in real-world attacks to install web shells and the Brute Ratel C4 post-exploitation framework.
The SAP RCE flaw compromises various industries globally.
According to investigations, the hackers have targeted numerous systems worldwide that contain the SAP RCE flaw. The weakness is allegedly present in various sectors and regions, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government bodies.
On the other hand, the SAP security firm reported observing reconnaissance activities, which included testing specific payloads against this vulnerability at its honeypots as early as January 20, 2025.
Successful compromises that involved deploying web shells occurred between March 14 and 31.
In addition, a Google-owned firm involved in incident response related to these attacks has documented evidence of exploitation starting on March 12, 2025. Several threat actors exploit this vulnerability to target at-risk systems for deploying web shells and cryptomining.
Further research also confirms that Chaya_004 is participating in these opportunistic attacks. It hosts a web-based reverse shell named SuperShell, developed in Golang.
Researchers also noted that it extracted the IP address for the Golang shell hosts from an ELF binary config used in the attack.
Furthermore, researchers also discovered multiple other open ports, including 3232/HTTP, which is utilising a suspicious self-signed certificate mimicking Cloudflare. Additionally, the threat actor likely hosts various tools within their infrastructure, including NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse (ARL), Pocassit, GOSINT, and GO Simple Tunnel.
According to the researchers, the involvement of Chinese cloud providers and several Chinese-language tools suggests that this threat actor is probably based in China.
To protect against these attacks, users should promptly apply the patches if they have not already done so, restrict access to the metadata uploader endpoint, deactivate the Visual Composer service if it is not in use, and monitor for any unauthorised activities.
