Chinese Hackers Exploit SAP RCE Vulnerability to Upload Supershell Backdoors
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical remote code execution vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324) is being actively exploited by a Chinese threat actor to compromise enterprise systems worldwide.<\/p>\n
The vulnerability<\/a> allows attackers to achieve remote code execution by uploading malicious web shells through the vulnerable \/developmentserver\/metadatauploader endpoint.<\/p>\n Exploitation has been observed primarily targeting manufacturing environments, where compromised SAP systems could lead to significant operational disruptions and security breaches.<\/p>\n The threat actor, tracked as Chaya_004, has been leveraging this vulnerability since at least April 29, 2025, shortly after proof-of-concept exploits became publicly available.<\/p>\n Their attack infrastructure heavily utilizes Chinese cloud providers, including Alibaba, Tencent, and Huawei Cloud Services.<\/p>\n This campaign demonstrates a sophisticated approach to infrastructure deployment, with over 700 identified IP addresses sharing consistent configuration patterns.<\/p>\n Forescout researchers identified<\/a> the malicious infrastructure after recovering an ELF binary named \u201cconfig\u201d from one of the attacks.<\/p>\n The binary contained an IP address hosting a SuperShell login interface, which led to the discovery of hundreds of additional IP addresses sharing unusual certificate configurations.<\/p>\n The certificates utilized anomalous self-signed properties impersonating Cloudflare<\/a> with a distinctive subject DN attribute.<\/p>\n The exploitation pattern involves POST requests to the vulnerable endpoint, followed by the deployment of web shells with names such as \u201chelper.jsp,\u201d \u201ccache.jsp,\u201d or randomized eight-letter filenames like \u201cssonkfrd.jsp.\u201d<\/p>\n Once established, these backdoors enable attackers to download additional malicious payloads using curl commands, as demonstrated in the following attack sequence:-<\/p>\n The deployed SuperShell backdoors provide attackers with comprehensive system access, allowing them to manipulate service endpoints, harvest credentials<\/a>, and potentially pivot to more critical SAP components.<\/p>\n The primary backdoor interface was identified on port 8888 with the distinctive path \u201c\/supershell\/login\u201d across multiple compromised systems.<\/p>\n Organizations running affected SAP<\/a> versions are strongly urged to apply the security patches released in the April 2025 Patch Day immediately.<\/p>\n Additional recommended mitigations include restricting access to metadata uploader services, disabling unused web services, and implementing real-time monitoring for anomalous access to SAP systems, particularly outside of regular maintenance windows.<\/p>\n The post Chinese Hackers Exploit SAP RCE Vulnerability to Upload Supershell Backdoors<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nPOST \/developmentserver\/metadatauploader HTTP\/1.1\nHost: [target]\nContent-Type: multipart\/form-data; boundary=---------------------------9051914041544843365972754266\nContent-Length: [length]\n\n-----------------------------9051914041544843365972754266\nContent-Disposition: form-data; name=\"file\"; filename=\"webshell.jsp\"\nContent-Type: application\/octet-stream\n\n\n\n-----------------------------9051914041544843365972754266--<\/code><\/pre>\nAre you from the SOC and DFIR Teams? \u2013 Analyse Real time Malware Incidents with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/p>\n