A second wave of cyberattacks is targeting a critical vulnerability in SAP NetWeaver Visual Composer, according to researchers.
Following the initial round of threat activity disclosed in April, opportunistic threat actors are leveraging webshells that were previously established through exploitation of CVE-2025-31324. The vulnerability, with a CVSS score of 10, allows unauthenticated attackers to upload arbitrary files and take full control of a system, according to researchers at Onapsis.
Onapsis and Mandiant are tracking hundreds of confirmed compromises worldwide, with the cases spanning across multiple industries, including utilities, manufacturing, oil and gas and other critical infrastructure sectors.
The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its known exploited vulnerabilities catalog in late April.
Researchers at Onapsis say the threat activity is more serious than originally known, in part because the threat actors appear to have more familiarity with SAP systems than defenders previously realized. Onapsis now believes that hackers started their initial probing for vulnerable SAP systems in January, two months earlier than previously thought.
“What changed is that it was initially thought that attackers leveraged a remote file upload vulnerability to deploy webshells, and then use that to compromise the systems,” Onapsis CTO Juan Pablo (JP) Perez- Etchegoyen said via email.
However, based on payloads reconstructed by Onapsis, the hackers were actually executing a remote command execution vulnerability.
Active exploitation and compromise appears to have begun in March, according to multiple security research firms.
The threat actors appear to have advanced knowledge of SAP and could be using living-off-the-land techniques to hide their tracks and maintain persistence, experts said.
SAP released an update in late April with a workaround to completely remove the application from unpatchable systems. SAP mitigation tools are password protected for confirmed customers.
The company is urging all customers to update their systems with the emergency patch that was released April 24. The vulnerability was originally disclosed by researchers at Reliaquest.
Meanwhile, researchers from Forescout have identified a new China-based threat actor, which it calls Chaya_004, exploiting the SAP flaw.
“We have not yet linked this activity cluster to any named threat actor,” Sai Molige, senior manager of threat hunting at Forescout, said via email. “However, based on their infrastructure and tool arsenal, they are more likely to be criminal than state-sponsored.”
Researchers found a network impersonating Cloudflare certificates across more than 787 IP addresses, hosted mainly on Alibaba, Tencent and Huawei cloud.
The analysts also observed live exploitation using SuperShell, Cobalt Strike, SoftEther VPN and multiple Chinese language penetration-testing tools.
