China’s Cyber Comedy: CVE-2025-31324 Takes Center Stage!

Attackers are exploiting CVE-2025-31324 with web shell backdoors. Forescout’s research suggests a Chinese nation-state actor, Chaya_004, is involved, using servers with Supershell backdoors. IPs impersonating Cloudflare, traced to Chinese providers, fuel suspicions. CISA’s KEV catalog now includes CVE-2025-31324, as SAP NetWeaver systems remain at risk.

3P
Published: May 15, 2025 2:16 pmAdded: May 15, 2025 at 7:36 amAssembled by: The Editor
Pro Dashboard

Hot Take:

When life gives you lemons, some people make lemonade. When the cyber world gives you vulnerabilities, Chinese threat actors make backdoor lemonade! Who knew that SAP systems could be so juicy?

Key Points:

  • Security firms Onapsis and WatchTowr have confirmed active exploitation of the CVE-2025-31324 vulnerability.
  • Onapsis, in collaboration with Google Cloud’s Mandiant, released an open-source detection tool for affected SAP systems.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31324 to its Known Exploited Vulnerabilities catalog.
  • Forescout’s Federe Labs reports potential involvement of Chinese nation-state actors exploiting the vulnerability.
  • EclectiIQ has linked some SAP NetWeaver intrusions to Chinese cyber-espionage units.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?