Chinese Hackers Exploit SAP NetWeaver RCE Flaw (thehackernews.com) 5
"A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver," reports The Hacker News:
Forescout Vedere Labs, in a report published Thursday, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint.
The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework. According to [SAP cybersecurity firm] Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations. Onapsis said it observed reconnaissance activity that involved "testing with specific payloads against this vulnerability" against its honeypots as far back as January 20, 2025. Successful compromises in deploying web shells were observed between March 14 and March 31.
"In recent days, multiple threat actors are said to have jumped aboard the exploitation bandwagon to opportunistically target vulnerable systems to deploy web shells and even mine cryptocurrency..."
Thanks to Slashdot reader bleedingobvious for sharing the news.
The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework. According to [SAP cybersecurity firm] Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations. Onapsis said it observed reconnaissance activity that involved "testing with specific payloads against this vulnerability" against its honeypots as far back as January 20, 2025. Successful compromises in deploying web shells were observed between March 14 and March 31.
"In recent days, multiple threat actors are said to have jumped aboard the exploitation bandwagon to opportunistically target vulnerable systems to deploy web shells and even mine cryptocurrency..."
Thanks to Slashdot reader bleedingobvious for sharing the news.
Not a problem (Score:3)
AI will solve this. Or maybe space communism.
I used to (Score:2)
I use to work on SAP and applying patches is a a nightmare. It is as if SAP want you never to install patches at all, I have never seen a worse method of applying updates than SAP.
So no surprise here, I am pretty sure SAP has more holes in it than there are "back holes" in this universe. :)
Re: (Score:2)
The company I work for uses SAP - and an old version of it.
There's a company saying, Death by SAP that's going around for companies going bust because SAP don't support their needs and then SAP just states that they should have changed the business model to the SAP standard business model.
In addition to that the UI of SAP is horrible.
All this time I thought (Score:2)
...that SAP was Satan's preferred means of communication with the modern world.
Suffice that it always costs more, takes longer, and does less and less well than they claimed it would.