A critical vulnerability in SAP NetWeaver Visual Composer is being actively exploited in the wild, with evidence pointing to a sophisticated Chinese threat group dubbed Chaya_004. The deserialization flaw, tracked as CVE-2025-31324, enables remote code execution, allowing attackers to deploy web shells and gain full control of vulnerable SAP systems. With confirmed exploitation across global enterprise environments and a sprawling network of malicious infrastructure, this is shaping up to be one of 2025’s most dangerous enterprise threats.
Inside CVE-2025-31324: A Critical SAP Vulnerability with Far-Reaching Impact
On April 29, cybersecurity researchers observed the first signs of active exploitation of CVE-2025-31324, a critical deserialization flaw in SAP NetWeaver Visual Composer 7.x. The vulnerability, which allows attackers to upload arbitrary binaries via the /developmentserver/metadatauploader endpoint, has become a key target for remote code execution (RCE) campaigns.
The implications are dire: compromised SAP systems could experience service disruptions, credential theft, lateral movement, and regulatory violations due to unauthorized data access. SAP’s Visual Composer often integrates with mission-critical enterprise systems like CRM, SCM, and SRM — making it a high-value target for espionage, sabotage, or ransomware deployment.
Forescout’s threat research team reported that early attack attempts involved web shell uploads (e.g., helper.jsp, ssonkfrd.jsp), along with use of curl to fetch secondary payloads. Defensive scans have already triggered system crashes in fragile installations, particularly in manufacturing sectors — highlighting the urgency for organizations to patch their environments.
Chaya_004: Mapping the Chinese Infrastructure Behind the Attacks
While initial scans appeared opportunistic, further investigation has linked coordinated activity to a China-based threat actor codenamed Chaya_004. Using infrastructure hosted on major Chinese providers (Alibaba, Tencent, Huawei), the group deployed Supershell backdoors, automated recon tools, and penetration frameworks like SoftEther VPN, Cobalt Strike, and NHAS.
Forescout analysts recovered malware binaries and traced them back to IP 47.97.42[.]177, which hosted a Supershell login page and exhibited anomalous certificate data impersonating Cloudflare. Using scanning tools like Censys and FOFA, researchers mapped over 500 IPs across 20 ASNs and 19 countries tied to this infrastructure.
The arsenal of tools deployed — including Go Simple Tunnel, Asset Recon Lighthouse, and POCassit — confirms the group’s capabilities in intelligence gathering, privilege escalation, and lateral movement within enterprise environments. One malware sample linked to Chaya_004, svchosts.exe, was observed using search-email[.]com as a command-and-control (C2) domain, further validating the campaign’s scale and sophistication.
Global Exposure, Enterprise Risk, and Forescout’s Defense Strategy
The impact is not theoretical. Attempted exploitation has been confirmed in customer environments — especially in Europe and the United States — via networks linked to known VPS and Tor exit nodes. Forescout identified IPs from Scaleway (France), Contabo (Germany), and Nubes LLC (US) actively trying to compromise SAP servers.
To counter the growing threat, Forescout rapidly deployed a multi-layered defense across its security products:
- OT/eyeInspect now includes detection logic for web shell activity and malicious POST requests.
- eyeFocus provides asset-level SAP vulnerability context, enriched with threat intelligence from Vedere Labs, Red Canary, and Onapsis.
- eyeAlert enables real-time alerts for exploitation behaviors and integrates with SIEM/SOAR platforms for automated response.
In addition to recommending immediate patching using SAP’s April 2025 fixes, Forescout advises organizations to:
- Restrict metadata uploader services through firewalls or SAP Web Dispatcher.
- Disable Visual Composer if unused.
- Conduct regular penetration tests and asset audits.