Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure
Table of contents:
A newly revealed SAP NetWeaver critical vulnerability, an unauthenticated file upload flaw that allows RCE and tracked as CVE-2025-31324, is being actively exploited by several China-linked nation-state groups to attack critical infrastructure systems. Defenders attribute the observed intrusions to Chinese cyber-espionage groups, which are likely linked to China’s Ministry of State Security (MSS) or its associated private contractors.
Detect CVE-2025-31324 Exploitation Attempts Linked to China-Nexus Adversaries
As zero-day exploits increasingly define modern cyber-attacks, a maximum-severity SAP NetWeaver flaw CVE-2025-31324 has followed suit, with widespread exploitation since April 2025 by likely China-linked APT groups targeting critical infrastructure.
To proactively withstand the growing risks of intrusions, register for the SOC Prime Platform and access a set of Sigma rules for CVE-2025-31324 exploit detection linked to the latest campaign by China-nexus groups.
Security professionals looking for more detection algorithms addressing CVE-2025-31324 exploits can browse Threat Detection Marketplace by the CVE ID directly, or follow this link. Additionally, by using the CVE tag, cyber defenders can access a broader collection of rules to detect vulnerability exploitation.
Detections are compatible with dozens of SIEM, EDR, and Data Lake solutions, and are aligned with the MITRE ATT&CK® framework. They are also enriched with actionable metadata to provide a comprehensive cyber threat context for in-depth investigation.
Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs from the dedicated EclecticIQ report into actionable hunting queries, enabling efficient investigation of China-nexus APT activity exploiting CVE-2025-31324. Additionally, Uncoder supports crafting detection logic from raw threat reports, ATT&CK tags prediction, AI-driven query optimization, and detection content translation across multiple platforms.
CVE-2025-31324 Exploitation Analysis Linked to Chinese APT Groups
In April 2025, defenders observed high-intensity exploitation campaigns targeting critical infrastructure by abusing SAP NetWeaver Visual Composer and exploiting a maximum-severity zero-day vulnerability, CVE-2025-31324. Adversary operations are strategically aimed at infiltrating critical infrastructure, stealing sensitive data, and establishing long-term access to high-value global networks.
EclecticIQ analysts assess that China-linked APT groups are highly likely to be actively carrying out a large-scale internet scanning and exploitation campaign targeting SAP NetWeaver systems. The campaign has targeted a range of sectors, including natural gas distribution, water and waste management services in the U.K., medical device manufacturers and oil and gas firms in the U.S., as well as government ministries in Saudi Arabia overseeing investment and financial policy.
Evidence of the campaign’s extent was revealed through an adversary-controlled server hosted at IP address 15.204.56[.]106, which contained event logs detailing activity across several breached systems. A server located at this IP address was found hosting multiple files, including “CVE-2025-31324-results.txt”, which documents 581 compromised SAP NetWeaver instances that were backdoored with web shells, and another TXT file listing 800 domains running SAP NetWeaver, suggesting these may be future targets. Following the exploitation of CVE-2025-31324, the attackers deploy two web shells to maintain persistent remote access and execute arbitrary commands on infected systems.
Defenders attribute these intrusions to Chinese hacking groups identified as UNC5221, UNC5174, and CL-STA-0048. CL-STA-0048 attempted to set up an interactive reverse shell with IP 43.247.135[.]53, previously linked to the group. This hacking gang has previously been linked to attacks in South Asia, where they exploited known flaws in publicly exposed IIS, Apache Tomcat, and MS-SQL servers to deploy web shells, reverse shells, and PlugX malware.
Another group tracked as UNC5221 used a web shell to deploy KrustyLoader, a Rust-based tool capable of delivering secondary payloads like Sliver, maintaining persistence, and running shell commands. One more hacking group behind CVE-2025-31324 exploitation, known as UNC5174, was observed downloading SNOWLIGHT, a loader that connects to a hardcoded server to retrieve VShell, a Go-based RAT, and GOREVERSE backdoor.
According to researchers, China-affiliated APTs are highly likely to continue weaponizing internet-facing enterprise software and edge devices in efforts to gain long-term access to critical infrastructure worldwide.
Given the continued active exploitation, SAP NetWeaver users are strongly advised to promptly upgrade their instances to the latest available version as detailed in SAP Security Note #3594142. As potential CVE-2025-31324 mitigation measures in cases where patching is not feasible, the vendor recommends removing the component sap.com/devserver_metadataupload_ear as outlined in SAP Note #3593336. Additionally, access to /developmentserver/metadatauploader should be limited to internal, authenticated IP ranges, and unauthenticated or public network access should be blocked using WAF or firewall rules.
As China-linked threat groups are strategically targeting widely used platforms like SAP NetWeaver, likely due to their critical role in enterprise environments and their tendency to contain unpatched vulnerabilities, ultra-responsiveness from defenders is a significant step to proactively thwart emerging threats. SOC Prime Platform equips security teams with a complete product suite backed by AI-powered technology, automated capabilities, and real-time threat intelligence to help global enterprises strengthen their defenses at scale.
