When your Cloudflare certificate is in Chinese—and the web shell is already inside.
Since late April 2025, a surge in attacks has been observed targeting SAP NetWeaver Visual Composer, exploiting a critical vulnerability — CVE-2025-31324. This flaw affects the metadata uploader component and allows attackers to upload web shells through the exposed /developmentserver/metadatauploader endpoint. Once exploited, it leads to remote code execution and full server takeover.
Rated a maximum 10.0 on the CVSS scale, this vulnerability has already been added to the CISA Known Exploited Vulnerabilities (KEV) list. The first exploitation traces were detected on April 29 by Forescout Vedere Labs’ honeypots, alongside a dramatic spike in scanning activity. A still-unnamed threat group, dubbed Chaya_004, is suspected to be behind the attacks — with strong ties to China.
The attack pattern is consistent: after uploading web shells (e.g., helper.jsp, ssonkfrd.jsp), malware payloads are fetched via tools like curl from remote hosts. These compromises disrupt business-critical SAP systems (CRM, SCM, SRM), granting attackers access to metadata, user accounts, and internal systems. The infected SAP servers are then leveraged for lateral movement across the organization’s infrastructure.
The most active C2 infrastructure was traced to IP address 47.97.42[.]177, hosting a Go-written web shell named Supershell, disguised with a fake Cloudflare certificate in Chinese. Researchers found 578 related IPs through matching TLS certs, most hosted on Chinese cloud platforms: Alibaba Cloud, Tencent Cloud, Huawei Cloud, and China Unicom — further confirming the group's geographic linkage.
The associated infrastructure also deployed a suite of Chinese-localized tools for recon and exploitation, including:
- SoftEther VPN,
- ARL (Asset Reconnaissance Lighthouse),
- Pocassist, Xray, NPS, NHAS, and Cobalt Strike.
An ELF binary named config was uncovered, which downloaded a malicious payload (svchosts.exe) from the C2 domain search-email[.]com.
Particularly alarming was the scanning behavior of 37 Microsoft ASN IPs looking for vulnerable SAP servers, while 14 Amazon ASN IPs focused on already compromised hosts — a clear sign of split infrastructure for reconnaissance and exploitation.
The attacks have affected dozens of industries — from energy and oil & gas to retail and the public sector. According to Onapsis, reconnaissance began in January, with successful breaches in March, and mass exploitation peaking in April. Alarmingly, some attacks have even been detected on already patched systems, indicating re-use of previously planted web shells.
In response, Forescout has activated its defense stack:
- eyeInspect tracks suspicious POST requests and JSP uploads,
- eyeFocus evaluates threat context and severity,
- eyeAlert issues alerts and can trigger automated incident response.
There have been incidents where even vulnerability scans triggered production disruptions.
Recommendations:
- Immediately apply SAP security patches for NetWeaver AS Java 7.50–7.52
- Restrict access to metadata uploader interfaces
- Disable unused Visual Composer components
- Configure network filters and segmentation
- Perform regular penetration tests and activity audits
If not urgently addressed, vulnerable SAP servers may become entry points not only for espionage, but also for data-wiping attacks and the lateral deployment of malware across enterprise networks.
