Cybersecurity

Critical SAP NetWeaver Vulnerabilities Exploited by China-Linked Threat Actors

In April 2025, cybersecurity researchers identified that multiple China-nexus advanced persistent threat (APT) groups are actively exploiting critical vulnerabilities in SAP NetWeaver, posing significant risks to global critical infrastructure.

Overview of Exploited Vulnerabilities

  • CVE-2025-31324: An unauthenticated file upload vulnerability in SAP NetWeaver’s Visual Composer component, allowing remote code execution (RCE).
  • CVE-2025-42999: A deserialization vulnerability in the Visual Composer Metadata Uploader, exploitable by privileged users to execute arbitrary code.

These vulnerabilities have been exploited in tandem, enabling attackers to gain unauthorized access, deploy malicious payloads, and maintain persistent control over compromised systems.

Identified Threat Actors and Tactics

The following China-linked APT groups have been associated with these exploitation campaigns:

  • UNC5221: Utilized web shells to deploy “KrustyLoader,” a Rust-based malware facilitating the delivery of secondary payloads like “Sliver” for persistence and command execution.
  • UNC5174: Employed a multi-stage malware chain involving “SNOWLIGHT,” a loader that fetches the “VShell” remote access trojan and the “GOREVERSE” backdoor.
  • CL-STA-0048: Established reverse shells to known command-and-control (C2) servers, enabling interactive remote sessions with compromised systems.

These groups have demonstrated sophisticated tactics, including the use of encrypted web shells, DNS-based beaconing, and leveraging publicly exposed directories to catalog and target vulnerable SAP NetWeaver instances.

Scope of Impact

The exploitation campaigns have targeted a wide array of sectors, including:

  • Energy and Utilities: Natural gas distribution networks and water utilities in the United Kingdom.
  • Healthcare: Medical device manufacturing plants in the United States.
  • Government: Ministries responsible for investment strategy and financial regulation in Saudi Arabia.

Evidence from attacker-controlled infrastructure revealed that at least 581 SAP NetWeaver instances have been compromised, with an additional 1,800 domains identified as potential future targets.

Mitigation and Recommendations

To protect against these threats, organizations using SAP NetWeaver should:

  1. Apply Security Patches: Implement SAP Security Note 3594142 to address CVE-2025-31324 and Security Note 3604119 for CVE-2025-42999.
  2. Restrict Access: Limit access to the Visual Composer component, especially if it is not essential to operations.
  3. Monitor Systems: Continuously monitor for unusual activities, such as unexpected file uploads or the presence of unauthorized web shells.
  4. Conduct Security Audits: Regularly audit systems for indicators of compromise and ensure that security measures are up to date.

Given the critical nature of these vulnerabilities and the sophistication of the threat actors involved, immediate action is imperative to safeguard organizational assets and maintain the integrity of critical infrastructure systems.

What's your reaction?

Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0

You may also like

Comments are closed.