Full Report
A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. "Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today. Targets of the campaign
Analysis Summary
# Vulnerability: SAP NetWeaver Unauthenticated Remote Code Execution via File Upload
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: Not explicitly stated, but described as **critical** and leading to **Remote Code Execution (RCE)**.
- CWE: Unauthenticated File Upload (likely)
## Affected Systems
- Products: SAP NetWeaver
- Versions: All affected versions prior to the May 2025 patch.
- Configurations: Internet-facing SAP NetWeaver instances are the primary targets.
## Vulnerability Description
CVE-2025-31324 is a critical security flaw in SAP NetWeaver that allows for **unauthenticated file upload**, which ultimately enables **Remote Code Execution (RCE)** on the affected systems.
## Exploitation
- Status: **Exploited in the wild** by multiple China-nexus nation-state actors (UNC5221, UNC5174, CL-STA-0048, and an uncategorized actor).
- Complexity: Indicated as high, given the critical impact and active exploitation by sophisticated actors.
- Attack Vector: Network (Unauthenticated RCE).
### Post-Exploitation Activities
Attackers use the RCE to deploy web shells for persistent remote access, reconnaissance, and deploying secondary malware payloads, including:
* KrustyLoader (serving Sliver, persistence)
* SNOWLIGHT loader (fetching VShell RAT and GOREVERSE backdoor)
* SuperShell (Go-based reverse shell)
## Impact
- Confidentiality: High (Implied by ability to deploy backdoors)
- Integrity: High (Remote Command Execution)
- Availability: High (Implied by potential for system compromise and denial of service)
## Remediation
### Patches
- Customers must update SAP NetWeaver instances to the **latest version** released in the **May 2025 patch cycle**.
- *Note: A related vulnerability, CVE-2025-42999 (Deserialization in Visual Composer Metadata Uploader, CVSS 9.1), was also disclosed and patched concurrently.*
### Workarounds
- Given the active exploitation, immediate patching is strongly recommended. No specific workarounds were detailed in this summary, beyond the necessity of updating.
## Detection
- Actors have been observed using reconnaissance (scanning, probing environments) followed by the deployment of web shells and reverse shells.
- **Indicators of Compromise (IoCs):** Event logs capturing activities across compromised systems show evidence of attackers maintaining persistent access and executing arbitrary commands via deployed web shells.
- **Detection Methods:** Monitor for unexpected file uploads via network traffic to SAP NetWeaver components, connections to known attacker IPs (e.g., 43.247.135\[.\]53, 15.204.56\[.\]106), and the presence of unknown web shells or malware like KrustyLoader, VShell, or GOREVERSE.
## References
- Vendor Advisory: SAP May 2025 Security Notes/Patch Information: support[.]sap[.]com/en/my-support/knowledge-base/security-notes-news/may-2025[.]html
- EclecticIQ Analysis: blog[.]eclecticiq[.]com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures