China-Linked Hackers Exploit SAP Flaw: A Comedy of Cyber Errors
Chaya_004, a China-linked threat actor, has been exploiting a critical SAP NetWeaver flaw, CVE-2025-31324. This security flaw allows remote code execution via a vulnerable endpoint. Hundreds of SAP systems across multiple industries have been targeted, with attackers using web shells and cryptocurrency mining. Time to patch up before Chaya_004 gets cozy!
Hot Take:
Looks like China-linked threat actor Chaya_004 didn’t get the memo that “April showers bring May flowers” and decided to drop some web shells instead! Who knew exploiting SAP NetWeaver’s flaw would become the latest fad for hackers? It’s like the cybersecurity world’s version of a viral TikTok dance, except it’s a bit more sinister and involves a lot less dancing and a lot more remote code execution!
Key Points:
– A critical SAP NetWeaver flaw (CVE-2025-31324) is being exploited by a China-linked threat actor, Chaya_004.
– The vulnerability allows for remote code execution through the “/developmentserver/metadatauploader” endpoint.
– Hundreds of global SAP systems across various industries have been impacted since April 2025.
– Chaya_004 is using a web-based reverse shell, SuperShell, hosted on an IP address with mysterious, self-signed certificates.
– Organizations are urged to patch their systems and monitor suspicious activities to fend off these attacks.