Attacks involving the critical SAP NetWeaver vulnerability, tracked as CVE-2025-31324, have been deployed by several Chinese state-sponsored threat operations against 581 systems worldwide, including those belonging to U.S. oil and gas firms and medical device manufacturers, UK water and waste management facilities and natural gas distributors, and Saudi Arabian finance and investment-focused government agencies, reports The Hacker News.
Web shell compromise of SAP NetWeaver instances has enabled UNC5221 to launch the KrustyLoader malware that facilitated Sliver payload delivery and shell command execution, as well as allowed UNC5174 to execute the SNOWLIGHT loader that retrieves the VShell remote access trojan and GOREVERSE backdoor, according to an analysis from EclecticIQ. Another China-backed attacker CL-STA-0048 used the bug to create a reverse shell to a previously used IP address. Such findings come as the flaw was reported by Onapsis researchers to have been exploited alongside another critical issue, tracked as CVE-2025-42999, in intrusions since January. "This combination allowed attackers to execute arbitrary commands remotely and without any type of privileges on the system," said Onapsis Chief Technology Officer Juan Pablo Perez-Etchegoyen, who urged organizations to promptly implement fixes issued by SAP.
Web shell compromise of SAP NetWeaver instances has enabled UNC5221 to launch the KrustyLoader malware that facilitated Sliver payload delivery and shell command execution, as well as allowed UNC5174 to execute the SNOWLIGHT loader that retrieves the VShell remote access trojan and GOREVERSE backdoor, according to an analysis from EclecticIQ. Another China-backed attacker CL-STA-0048 used the bug to create a reverse shell to a previously used IP address. Such findings come as the flaw was reported by Onapsis researchers to have been exploited alongside another critical issue, tracked as CVE-2025-42999, in intrusions since January. "This combination allowed attackers to execute arbitrary commands remotely and without any type of privileges on the system," said Onapsis Chief Technology Officer Juan Pablo Perez-Etchegoyen, who urged organizations to promptly implement fixes issued by SAP.
