Thursday, May 15, 2025
Advertisements

Chinese Hackers Exploit SAP NetWeaver 0-Day to Target Critical Infrastructure

by Charline
written by Charline

In April 2025, security researchers discovered a major cyberattack targeting critical infrastructure worldwide. The attackers exploited a previously unknown vulnerability in SAP NetWeaver Visual Composer.

The vulnerability, tracked as CVE-2025-31324, allows attackers to upload malicious files and execute remote code. This can be done without authentication or special privileges.

Advertisements

Global Impact on Critical Sectors

The attacks mainly affected:

Advertisements
  • Natural gas distribution networks in the United Kingdom
  • Water utilities
  • Medical device manufacturing plants in the United States
  • Upstream oil and gas companies
  • Government ministries in Saudi Arabia

Compromised SAP systems were linked to Industrial Control System (ICS) networks. This connection increased the potential impact of the attacks.

Advertisements

Links to China-Based APT Groups

Investigation revealed links to several China-nexus Advanced Persistent Threat (APT) groups. These included UNC5221, UNC5174, and CL-STA-0048.

Advertisements

Analysts believe these groups are connected to China’s Ministry of State Security (MSS) or affiliated private entities. Their goal is to compromise critical infrastructure around the world.

Evidence from Attacker Infrastructure

Researchers at EclecticIQ found an open directory on an attacker-controlled server (15.204.56.106). This directory contained:

  • Lists of compromised SAP systems
  • Tools used in the campaign

The server had two files showing over 581 SAP NetWeaver instances were compromised and backdoored with webshells. Another list identified 1,800 SAP domains as potential future targets.

Attack Methodology: Exploiting SAP API Endpoint

The attackers used the “/developmentserver/metadatauploader” API endpoint in SAP NetWeaver. This allowed them to upload malicious webshells and gain persistent remote access.

Two primary webshells were found on victim systems:

  • coreasp.jsp
  • forwardsap.jsp

Anatomy of the Webshell Payloads

The coreasp.jsp webshell was more advanced. It used obfuscation and encryption to avoid detection.

The webshell accepted system commands through a parameter called “cmdhghgghhdd”. It then returned the output to the attacker’s browser. This served as a fallback access method if other encrypted channels failed.

Links to Behinder/ Toolset

EclecticIQ researchers noted the webshells resembled Behinder/ v3. This toolset is commonly used by Chinese-speaking threat actors. This finding supports the link to China-nexus operators.

You Might Also Like
Advertisements
blank

Charline is the editor of ProxyServerPro's platform. She is a digital privacy and proxy solutions expert with over 10 years of experience writing and editing content related to online security, browsing solutions, and data protection. Charline has contributed to various tech publications and worked closely with professionals and businesses to enhance their understanding of proxies, internet anonymity, and digital security. Prior to joining ProxyServerPro, she worked at leading digital security firms, where she helped produce educational content aimed at helping users navigate the complexities of the online world with confidence and security.

You may also like

Adobe Photoshop Vulnerability Allows Arbitrary Code Execution

Earth Ammit Hackers Launch Advanced Attacks on Military Drone Supply Chains

Google Threat Intelligence Launches New Technique to Detect Malicious .Desktop Files

Over 82,000 WordPress Sites at Risk from Critical Remote Code Execution Vulnerabilities

Microsoft Warns of AD CS Vulnerability Allowing Network-Based Denial-of-Service Attacks

FortiVoice 0-Day Vulnerability Exploited to Execute Arbitrary Code

blank

At ProxyServerPro, we are dedicated to providing cutting-edge proxy solutions tailored to meet the diverse needs of businesses and individuals. Our platform offers a comprehensive range of high-performance proxies, including residential, datacenter, and mobile options, ensuring seamless browsing, data scraping, and online anonymity. With a focus on reliability, speed, and security, we empower users to navigate the digital landscape with confidence. Whether you’re managing ad verification, market research, or web automation, ProxyServerPro is your trusted partner for scalable, efficient, and secure proxy services. Explore our portal to discover how we can elevate your online experience.

popular recommendation

What is CroxyProxy?
What is a Web Proxy Server? Types, Benefits & Use Cases
What is FoxyProxy? Features, Benefits & Use Cases
11 Nation-State Groups Exploit Microsoft Zero-Day Flaw

Useful Links

TAGS

© 2024 Copyright  proxyserverpro.com