Ransomware groups and Chinese advanced persistent threat (APT) actors are actively exploiting a critical vulnerability in SAP’s NetWeaver framework, known as CVE-2025-31324. The flaw, disclosed and patched in an emergency update by SAP in late April, has a CVSS score of 10, indicating a severe risk. Attackers can leverage this vulnerability to execute arbitrary code remotely, potentially compromising entire systems without authentication.
Cybersecurity firm ReliaQuest first identified this vulnerability on April 22, categorizing it as a zero-day due to its exploitation in the wild. Despite immediate patches issued by SAP on April 24, threat actors continued to mount attacks, indicating evasion of the attempted defenses. ReliaQuest has since been monitoring indicators of compromise associated with CVE-2025-31324, which they originally suspected to be a remote file inclusion issue before SAP clarified it as an unrestricted file upload vulnerability.
The threat landscape has expanded with reports from Forescout Vedere Labs linking some attacks to a suspected Chinese group referred to as Chaya_004. This group has been detected utilizing infrastructure, including Supershell backdoors hosted on Chinese cloud services, to orchestrate their cyber assaults. Furthermore, EclecticIQ revealed additional Chinese APTs such as UNC5221 and UNC5174 are also targeting the same vulnerability.
As of May 14, the ongoing investigations have highlighted potential involvement from Russian ransomware groups, specifically BianLian and RansomEXX. The targeting of CVE-2025-31324 by diverse threat actors underscores its significance in the current cyber threat landscape. ReliaQuest has reiterated the necessity for organizations to apply patches promptly, monitor unusual activities, and strengthen their cybersecurity defenses to combat these escalating threats.