A threat actor known as Chaya_004, with links to China, has been observed exploiting a serious security vulnerability in SAP NetWeaver (CVE-2025-31324). This flaw, which has a CVSS score of 10.0, allows for remote code execution via a compromised endpoint. Forescout Vedere Labs noted that attacks utilizing this vulnerability have been widespread, affecting numerous industries and organizations globally. Various entities, including Onapsis and Mandiant, have documented evidence of real-world exploitation of this flaw, which involves deploying web shells for malicious intents, including cryptocurrency mining.
Forescout Vedere Labs reported on a China-linked threat actor, Chaya_004, exploiting a critical SAP NetWeaver vulnerability, CVE-2025-31324, allowing remote code execution.
The SAP NetWeaver flaw enables attackers to upload web shells through a vulnerable endpoint, and real-world abuse was confirmed by ReliaQuest and Onapsis.
Organizations spanning various sectors, including energy and government, have suffered from attacks that employed reconnaissance and deployment of web shells in their SAP systems.
Chaya_004 has been observed using a web-based reverse shell called SuperShell and exploiting the CVE-2025-31324 vulnerability, demonstrating significant cyber threat.
Collection
[
|
...
]