Recent examinations have shown several distressing examples of advanced persistent threats (APTs) associated with China. These threats have targeted known vulnerabilities in SAP systems to impact critical infrastructure across the world. A server operating under the IP address “15.204.56.106” was found to contain dozens of files associated with maliciously-affiliated SAP NetWeaver instances. This finding represents a shocking enterprise security violation.
A particularly important result has come out, described in the attached file “CVE-2025-31324-results.txt. It shows that 581 SAP NetWeaver instances were exploited and deployed with a backdoored version of the web shell. Additionally, another file titled “服务数据_20250427_212229.txt” lists around 800 domains running SAP NetWeaver, suggesting that these could be future targets for further attacks.
In one concrete instance, the China-linked APT group CL-STA-0048 tried to set up a two-way remote shell connection to the IP address “43.247.135.53.” This decision demonstrates the group’s resolve to maintain remote access to affected systems. They continue to be laser focused on targeting enterprise applications and edge devices that are directly accessible on the internet.
Details of the Breach
Our analysis against the exposed directory on the attacker’s infrastructure led us to some key event logs. Each of these logs captured activity over thousands of compromised endpoints. In doing so, these logs offer indispensable information on the tactics used by attackers, such as the abuse of publicly documented CVEs, such as CVE-2025-31324.
“This combination allowed attackers to execute arbitrary commands remotely and without any type of privileges on the system,” security experts noted. This vulnerability is the one that allows remote code execution (RCE) through an unauthenticated file upload weakness.
Noting the timing of the attacks, cybersecurity expert Juan Pablo (JP) Perez-Etchegoyen called this out. They started with low level probes in January 2025 and upped those probes by March 2025. He stated, “The attacks we observed during March 2025 are actually abusing both the lack of authentication (CVE-2025-31324) as well as the insecure de-serialization (CVE-2025-42999).”
Targeted Sectors and Strategic Intent
We have seen these cyber campaigns broadly impact all sectors that are essential to the United Kingdom’s critical infrastructure. These account for natural gas distribution networks, water utilities, and integrated waste management systems. It’s not just our medical device manufacturing plants that would be gutted, our oil and gas companies in the US are at stake. Moreover, Saudi Arabia’s government ministries are feeling the effects too.
Arda Büyükkaya emphasized the strategic nature of these attacks, stating, “Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities.” He further warned that “China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally.”
Another dubbed threat actor, Chaya_004, leveraged CVE-2025-31324 to install a Go-based reverse shell equal to SuperShell. This tactic fits with the broader APT goal of gaining sustained access to important networks in multiple nations.
Recommended Actions for Organizations
In view of these changes, it is more important than ever for organizations to act now in order to secure their SAP applications. Security experts state that organizations should apply SAP Security Note 3604119 immediately to reduce any residual risk related to SAP applications. The point of the note was to call attention to a de-serialization vulnerability. Only users with certain administrative roles on the SAP target system can be exploited.
Organizations should immediately deploy SAP Security Note 3604119 to eliminate the remaining risk on SAP Applications,” specialists recommended. This measure is an essential step in protecting against future exploits that may allow for unauthorized access or data exposure.