{"id":105944,"date":"2025-05-08T00:15:36","date_gmt":"2025-05-08T04:15:36","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=105944"},"modified":"2025-05-08T07:19:34","modified_gmt":"2025-05-08T11:19:34","slug":"threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/","title":{"rendered":"Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat Actor"},"content":{"rendered":"<p>CVE-2025-31324 is a critical deserialization vulnerability affecting SAP NetWeaver Visual Composer 7.x that allows attackers to upload malicious binaries, such as web shells to vulnerable servers. This allows for full takeover of unpatched systems.<\/p>\n<p>The CVE is actively being exploited in the wild since at least April 29, when we noticed active scans on <a href=\"\/research-labs\/threat-intelligence\/\">Forescout\u2019s Adversary Engagement Environment (AEE)<\/a> and it was added to <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noopener\">CISA KEV<\/a>.<\/p>\n<p>As part of our investigation into active exploitation of this vulnerability, we uncovered malicious infrastructure likely belonging to a Chinese threat actor, which we are currently tracking as Chaya_004 \u2013 following our convention for unnamed threat actors. The infrastructure includes a network of servers hosting Supershell backdoors, often deployed on Chinese cloud providers, and various pen testing tools, many of Chinese origin.<\/p>\n<p>This post provides an overview of the vulnerability, analysis of Chaya_004 and mitigation recommendations, including proactive response measures taken by Forescout.<\/p>\n<p>&nbsp;<\/p>\n<h2>CVE-2025-31324: SAP Vulnerability Overview<\/h2>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-31324\" target=\"_blank\" rel=\"noopener\">CVE-2025-31324<\/a> allows attackers to achieve remote code execution (RCE) by uploading malicious web shells through a vulnerable endpoint in SAP NetWeaver Visual Composer. Attackers have demonstrated consistent exploitation patterns with:<\/p>\n<ul>\n<li>POST requests targeting the \/developmentserver\/metadatauploader endpoint.<\/li>\n<li>Deployment of web shells, including files named helper.jsp, cache.jsp, and others with randomized 8-letter names, such as \u201cssonkfrd.jsp\u201d.<\/li>\n<li>Use of curl to download further malicious payloads from external infrastructure.<\/li>\n<\/ul>\n<p>Visual Composer is SAP\u2019s web-based tool to create business applications visually. It runs on NetWeaver servers that often serve other applications in the SAP business suite, such as customer relationship management (CRM), supply chain management (SCM) and supplier relationship management (SRM).<\/p>\n<p>If left unpatched, exploitation of CVE-2025-31324 can lead to:<\/p>\n<ul>\n<li><strong>Service Disruption<\/strong> \u2013 Web shell access may allow attackers to corrupt or delete Universal Description Discovery and Integration (UDDI) entries, disrupting communication between SAP modules like CRM, SCM, or SRM.<\/li>\n<li><strong>Information Leakage<\/strong> \u2013 Service metadata can expose internal APIs, authentication methods, and system configurations.<\/li>\n<li><strong>Credential Interception<\/strong> \u2013 Manipulated service endpoints may be used to harvest user credentials or inject malicious content.<\/li>\n<li><strong>Lateral Movement<\/strong> \u2013 From Visual Composer, attackers can pivot toward more critical SAP components such as the Gateway, Message Server, or HANA database.<\/li>\n<li><strong>Regulatory Non-Compliance<\/strong> \u2013 Unauthorized access or data manipulation may violate GDPR, HIPAA, SOX, and other data protection frameworks.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Exploitation: Opportunistic Scans and Hints of a Campaign<\/h2>\n<p>To identify current exploitation campaigns and actors, we have been using three data sources:<\/p>\n<ul>\n<li><strong>Scans on AEE. <\/strong>Several <a href=\"https:\/\/github.com\/nomi-sec\/PoC-in-GitHub\/blob\/master\/2025\/CVE-2025-31324.json\" target=\"_blank\" rel=\"noopener\">scanning tools and proof-of-concept<\/a> (PoC) exploits have been released since April 25, a day after the CVE was published. We started noticing scans on the AEE since April 29, as shown in the figure below. Scans for \u201c\/developmentserver\/metadatauploader\u201d \u2013 looking for vulnerable servers \u2013 have been growing since April 29, while scans for \u201c\/irj\/*.jsp\u201d \u2013 looking for compromised servers \u2013 only happened between April 29 and April 30. We noticed 37 unique IP addresses scanning for \u201c\/developmentserver\/metadatauploader\u201d and 14 scanning for \u201c\/irj\/*.jsp\u201d. All IPs related to the former scan were on Microsoft ASNs and all IPs related to the latter were on Amazon ASNs. No IP address was related to both scans. These IPs are reported in the IoC section of this blog, but they are likely related to benign scans given the ASNs and the fact that several carried the <a href=\"https:\/\/github.com\/zmap\/zgrab2\" target=\"_blank\" rel=\"noopener\">Zgrab<\/a> user agent.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-105947\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog_SAP-Graph-Scans-on-AEE-scaled.webp\" alt=\"\" width=\"2560\" height=\"1542\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog_SAP-Graph-Scans-on-AEE-scaled.webp 2560w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog_SAP-Graph-Scans-on-AEE-300x181.webp 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog_SAP-Graph-Scans-on-AEE-1024x617.webp 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog_SAP-Graph-Scans-on-AEE-768x463.webp 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog_SAP-Graph-Scans-on-AEE-1536x925.webp 1536w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog_SAP-Graph-Scans-on-AEE-2048x1234.webp 2048w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><\/p>\n<ul>\n<li><strong>Exploitation attempts at customers.<\/strong> Attempted exploitation has been observed primarily in manufacturing environments, where compromised SAP systems may lead to broad operational and security impacts. It\u2019s also important to notice that in these environments we observed reports of system crashes during defensive scans, indicating fragile or exposed installations. We observed 13 unique IP addresses attempting to exploit the vulnerability on customer networks. These addresses belong to the following ASes:\n<ul>\n<li>AS12876 (Scaleway S.A.S.) \u2013 French hosting provider with multiple IPs documented in brute force attacks targeting.<\/li>\n<li>AS51167 (Contabo GmbH) \u2013 German hosting provider known for offering low-cost VPS services that are sometimes abused by threat actors.<\/li>\n<li>AS40021 (Nubes, LLC) \u2013 US-based provider registered that hosts VPN servers and Tor services.<\/li>\n<li>AS41314 (ECO TRADE Sp. z o.o.) \u2013 Small Polish ASN that seems to belong to a legitimate food manufacturing business. The IPs used in the exploitation attempts could have been compromised.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Tracking adversary infrastructure. <\/strong>From one of the attacks, we recovered an ELF binary named &#8220;config&#8221; (<a href=\"https:\/\/www.virustotal.com\/gui\/file\/888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef\" target=\"_blank\" rel=\"noopener\">888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef<\/a>) and extracted from it IP address 47.97.42[.]177. That IP address hosted a SuperShell login interface at http:\/\/47.97.42[.]177:8888\/supershell\/login. <a href=\"https:\/\/github.com\/tdragon6\/Supershell\" target=\"_blank\" rel=\"noopener\">SuperShell<\/a> is a web-based reverse shell developed in Go by a Chinese-speaking developer called \u201ctdragon6.\u201d This finding prompted us to map and track the threat actor infrastructure behind these exploits.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Mapping the Campaign: Uncovering the Chaya_004 Infrastructure<\/h2>\n<p>On the same IP address hosting Supershell (47.97.42[.]177), we also identified several other open ports, including 3232\/HTTP using an anomalous self-signed certificate impersonating Cloudflare with the following properties: <code>Subject DN: C=US<\/code>, <code>O=Cloudflare, Inc<\/code>, <code>CN=:3232<\/code>.<\/p>\n<p>Using Censys, we identified 114 IP addresses across 20 ASNs and 8 countries that shared the same uncommon CN on their certificates. Using FOFA, we saw 464 additional IP addresses across 17 ASNs and 19 countries with the same property. The ASNs with the most IP addresses were all based in China:<\/p>\n<ul>\n<li>ALIBABA-CN-NET (Hangzhou Alibaba Advertising Co.,Ltd.)<\/li>\n<li>TENCENT-NET-AP (Shenzhen Tencent Computer Systems Company Limited)<\/li>\n<li>HWCSNET (Huawei Cloud Service data center)<\/li>\n<li>CHINA169-BACKBONE (CHINA UNICOM China169 Backbone)<\/li>\n<\/ul>\n<p>Other ASNs were mainly located in the US, Singapore and Japan with limited presence in several other countries.<\/p>\n<p>787 of those IP addresses had port 3232 open, which matched the unusual CN value in the certificates and provided strong evidence of campaign consistency. Other commonly open ports included 443 (51 instances), 2096 (12 instances), 22 (9 instances), 3333 (6 instances) and 2222 (6 instances).<\/p>\n<p>After mapping the infrastructure, we explored accessible web interfaces to identify deployed tools and found the following:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/ehang-io\/nps\" target=\"_blank\" rel=\"noopener\">NPS<\/a>: Chinese-language GitHub repository for a &#8220;lightweight, high-performance, powerful intranet penetration proxy server&#8221;<\/li>\n<li><a href=\"https:\/\/github.com\/tdragon6\/Supershell\" target=\"_blank\" rel=\"noopener\">SuperShell<\/a>: Primary backdoor\/management interface<\/li>\n<li><a href=\"https:\/\/www.softether.org\/\" target=\"_blank\" rel=\"noopener\">SoftEther VPN<\/a>: VPN client used for secure communications with compromised infrastructure on 45.94.43[.]41<\/li>\n<li>NHAS: Penetration testing toolkit<\/li>\n<li>Cobalt Strike: Commercial red team tool<\/li>\n<li><a href=\"https:\/\/github.com\/TophantTechnology\/ARL-doc\" target=\"_blank\" rel=\"noopener\">Asset Reconnaissance Lighthouse<\/a> (ARL): Chinese-language GitHub repository for an asset discovery framework<\/li>\n<li><a href=\"https:\/\/github.com\/jweny\/pocassist\" target=\"_blank\" rel=\"noopener\">Pocassit<\/a>: Chinese-language GitHub repository for a vulnerability scanning utility<\/li>\n<li><a href=\"https:\/\/github.com\/ciscocsirt\/GOSINT\" target=\"_blank\" rel=\"noopener\">Gosint<\/a>: Intelligence gathering framework<\/li>\n<li><a href=\"https:\/\/github.com\/ginuerzh\/gost\" target=\"_blank\" rel=\"noopener\">GO Simple Tunnel<\/a>: Chinese-language GitHub repository for a \u201csimple tunnel written in Go\u201d<\/li>\n<\/ul>\n<p>The use of Chinese cloud providers and several Chinese-language tools points to a threat actor likely based in China, which we dubbed Chaya_004. Pivoting off the identified infrastructure led to additional findings related to Chaya_004:<\/p>\n<ul>\n<li>IP address 49.232.93[.]226, which historically distributed malware samples, including <code>svchosts.exe<\/code> (<code>f1e505fe96b8f83c84a20995e992b3794b1882df4954406e227bd7b75f13c779<\/code>). This sample has <a href=\"https:\/\/tria.ge\/250428-vekxsssygt\" target=\"_blank\" rel=\"noopener\">Triage watermark<\/a> The same watermark was found in 28 IPs mainly in China, possibly connected to previously observed activity. This sample used domain http:\/\/search-email[.]com:443\/ServiceLogin\/_\/kids\/signup\/eligible for C2 communication.<\/li>\n<li>An automated penetration testing tool hosted at http:\/\/8.210.65[.]56:5000\/ with the following platform capabilities:\n<ul>\n<li>Asset reconnaissance modules (Hunter, Fofa, Quake, SecurityTrails, Subfinder)<\/li>\n<li>Vulnerability scanning modules (Lighthouse, Xray proxy, AWVS)<\/li>\n<li>Task orchestration and reporting capabilities<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure class=\"video-player\"><div data-video-url=\"https:\/\/forescout.wistia.com\/medias\/sxa2a2mc4w\"><\/div>\n<\/figure>\n\n<div style=\"margin: 10px 0 20px 0; border-top: 1px solid #CCCCCC; border-bottom: 1px solid #CCCCCC; padding: 10px 0 10px 0;\">\n<h4>Go deeper: Join our on-demand webinar on the Riskiest Devices of 2025 with Daniel dos Santos, head of research, any time you want.<\/h4>\n<p class=\"u-display-flex u-flex-wrap u-gap\"><a href=\"\/webinars\/riskiest-devices-2025-webinar\/\"  title=\"Join the Webinar\" class=\"c-btn c-btn--lblue has-icon icon-arrow-right icon-position-right has-icon-animation icon-animation-fade-in\"><span class=\"cta-button-text\">Join the Webinar<\/span><\/a>\n<\/div>\n<p>&nbsp;<\/p>\n<h2>Mitigation Recommendations and Forescout Response<\/h2>\n<p>To defend against CVE-2025-31324:<\/p>\n<ol>\n<li><strong>Apply SAP Patches Immediately<\/strong> \u2013 SAP released fixes in the April 2025 Patch Day. Ensure you apply the appropriate security notes for NetWeaver AS Java versions 7.50\u20137.52.<\/li>\n<li><strong>Restrict Access to Metadata Uploader Services<\/strong> \u2013 Limit exposure of the \/developmentserver\/metadatauploader endpoints using firewall policies or SAP Web Dispatcher. Internal access should be restricted to authorized administrators.<\/li>\n<li><strong>Disable Unused Web Services<\/strong> \u2013 If the Visual Composer service is non-essential, consider disabling it entirely.<\/li>\n<li><strong>Monitor for Anomalies<\/strong> \u2013 Deploy real-time monitoring for abnormal access or changes to service entries, especially outside of maintenance windows.<\/li>\n<li><strong>Conduct Regular Security Assessments<\/strong> \u2013 Ensure SAP NetWeaver endpoints are included in routine penetration testing and vulnerability scans.<\/li>\n<\/ol>\n<p>Beyond uncovering malicious infrastructure, Forescout\u2019s rapid threat research, detection engineering and collaboration with industry partners enabled a timely and effective response to CVE-2025-31324. As exploitation continues in the wild, we strongly urge all organizations running affected SAP versions to take immediate action.<\/p>\n<p>Forescout rapidly deployed countermeasures across its product portfolio to help customers detect, respond to, and mitigate this threat:<\/p>\n<ul>\n<li><strong>OT\/eyeInspect: <\/strong><em>Forescout\u2019s deep packet inspection and protocol analysis platform for OT and IoT networks.<\/em><\/li>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>Development of detection logic<\/strong> for suspicious file uploads and malicious JSP web shell execution targeting SAP NetWeaver Visual Composer.<\/li>\n<li><strong>Integration of threat intelligence and IoCs<\/strong> from Vedere Labs, Onapsis, Red Canary, and Crowdsec to enrich detection capabilities.<\/li>\n<li><strong>Continuous CVE DB enrichment<\/strong>, enabling OT\/eyeInspect to flag vulnerable SAP assets and correlate them with anomalous behaviors.<\/li>\n<\/ul>\n<\/li>\n<li><strong>eyeFocus: <\/strong><em>Forescout\u2019s asset intelligence and vulnerability contextualization engine, providing global risk visibility across the enterprise.<\/em>\n<ul>\n<li><strong>Aggregation of threat intelligence and IoCs<\/strong> related to CVE-2025-31324 from Vedere Labs and partner sources, improving risk scoring of affected systems.<\/li>\n<li><strong>Integration of the CVE database<\/strong>, enabling visibility into which SAP systems are exposed and prioritizing patching efforts based on business context.<\/li>\n<\/ul>\n<\/li>\n<li><strong>eyeAlert: <\/strong><em>Forescout\u2019s real-time alerting and automation platform for security <\/em><em>operations.<\/em>\n<ul>\n<li><strong>Implementation of eyeAlert rules<\/strong> designed to detect CVE-2025-31324 exploitation attempts, such as anomalous POST requests to known vulnerable endpoints.<\/li>\n<li><strong>Alert correlation with threat intelligence<\/strong> to provide contextual alerts tied to observed attack behaviors (e.g., webshell activity, outbound curl connections).<\/li>\n<li><strong>Flexible response actions<\/strong> can be triggered, including segmentation, notifications, and integrations with SIEM\/SOAR platforms.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This layered response across Forescout products ensures that both visibility and response capabilities are tightly aligned, giving customers a defense-in-depth approach to this vulnerability.<\/p>\n<p>&nbsp;<\/p>\n<h2>IoCs and Other Threat Intelligence Sources<\/h2>\n<p>The indicators of compromise (IoCs) below are available on the Forescout Vedere Labs <a href=\"https:\/\/forescout.vederelabs.com\/register\" target=\"_blank\" rel=\"noopener\">threat feed<\/a>.<\/p>\n<div class=\"c-responsive-table td-min-width-0 padding-slim th-no-wrap\">\n<table>\n<tbody>\n<tr>\n<th>IoC<\/th>\n<th>Description<\/th>\n<\/tr>\n<tr>\n<td>130.131.160[.]24<br \/>\n135.119.17[.]221<br \/>\n135.233.112[.]100<br \/>\n172.212.216[.]128<br \/>\n172.212.219[.]49<br \/>\n20.118.200[.]88<br \/>\n20.118.33[.]20<br \/>\n20.15.201[.]23<br \/>\n20.150.192[.]195<br \/>\n20.150.192[.]39<br \/>\n20.150.202[.]153<br \/>\n20.150.202[.]55<br \/>\n20.150.205[.]154<br \/>\n20.163.15[.]93<br \/>\n20.163.2[.]229<br \/>\n20.163.57[.]193<br \/>\n20.163.60[.]206<br \/>\n20.163.74[.]20<br \/>\n20.168.121[.]119<br \/>\n20.169.105[.]57<br \/>\n20.169.48[.]134<br \/>\n20.169.48[.]59<br \/>\n20.171.29[.]48<br \/>\n20.171.30[.]196<br \/>\n20.171.30[.]224<br \/>\n20.171.9[.]108<br \/>\n20.29.24[.]163<br \/>\n20.29.42[.]207<br \/>\n20.46.234[.]65<br \/>\n20.65.193[.]234<br \/>\n20.65.194[.]105<br \/>\n20.65.194[.]9<br \/>\n20.65.195[.]124<br \/>\n20.65.195[.]20<br \/>\n20.98.152[.]33<br \/>\n40.67.161[.]44<br \/>\n52.248.40[.]89<\/td>\n<td>Observed scanning for \/developmentserver\/metadatauploader\/ on AEE<\/td>\n<\/tr>\n<tr>\n<td>13.228.100[.]218<br \/>\n13.58.39[.]15<br \/>\n18.142.70[.]42<br \/>\n18.159.188[.]112<br \/>\n18.204.33[.]8<br \/>\n3.12.99[.]176<br \/>\n3.19.125[.]50<br \/>\n3.229.147[.]107<br \/>\n3.65.236[.]123<br \/>\n3.65.237[.]228<br \/>\n3.77.117[.]203<br \/>\n34.193.126[.]209<br \/>\n35.157.196[.]116<br \/>\n52.74.236[.]95<\/td>\n<td>Observed scanning for \/irj\/*.jsp on AEE<\/td>\n<\/tr>\n<tr>\n<td>163.172.146[.]243<br \/>\n212.28.183[.]85<br \/>\n212.47.227[.]221<br \/>\n212.56.34[.]86<br \/>\n31.220.89[.]227<br \/>\n51.15.223[.]138<br \/>\n51.158.64[.]240<br \/>\n51.158.97[.]138<br \/>\n89.117.18[.]228<br \/>\n89.117.18[.]230<br \/>\n94.72.102[.]203<br \/>\n94.72.102[.]225<br \/>\n94.72.102[.]253<\/td>\n<td>Observed attempting to exploit the vulnerability on customer networks<\/td>\n<\/tr>\n<tr>\n<td>47.97.42[.]177 (Initial SuperShell host)<br \/>\n49.232.93[.]226 (malware distribution node)<br \/>\n8.210.65[.]56 (automated pentest platform)<br \/>\nsearch-email[.]com (C2 domain)<br \/>\n888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef (config ELF binary)<br \/>\nf1e505fe96b8f83c84a20995e992b3794b1882df4954406e227bd7b75f13c779 (svchosts.exe)<br \/>\nSubject DN: C=US, O=Cloudflare, Inc, CN=:3232<\/td>\n<td>Chaya_004 infrastructure<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Other threat intelligence sources for CVE-2025-31324 include:<\/p>\n<ul>\n<li><strong>PoC exploit<\/strong> released publicly: <a href=\"https:\/\/github.com\/ODST-Forge\/CVE-2025-31324_PoC\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/ODST-Forge\/CVE-2025-31324_PoC<\/a><\/li>\n<li><strong>Exploitation analysis:<\/strong> <a href=\"https:\/\/www.rapid7.com\/blog\" target=\"_blank\" rel=\"noopener\">Rapid7 Blog on CVE-2025-31324<\/a><\/li>\n<li><strong>Detection rule (YARA):<\/strong> <a href=\"https:\/\/onapsis.com\/blog\/active-exploitation-of-sap-vulnerability-cve-2025-31324\/#h-open-source-scanner-for-cve-2025-31324\" target=\"_blank\" rel=\"noopener\">Onapsis YARA Rule<\/a><\/li>\n<\/ul>\n<p>Get all of Forescout\u2019s research from Vedere Labs in your inbox once a month.<\/p>\n<a href=\"\/research-newsletter-subscription-lp\/\"  title=\"Sign Up Now\" class=\"c-btn c-btn--primary icon-position-right\"><span class=\"cta-button-text\">Sign Up Now<\/span><\/a>\n","protected":false},"excerpt":{"rendered":"<p>Forescout\u2019s Vedere Labs research and threat hunting team analyzes SAP vulnerability (CVE-2025-31324) in the wild. <\/p>\n","protected":false},"author":181,"featured_media":105967,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"ep_exclude_from_search":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[540],"tags":[],"coauthors":[748,508,542],"class_list":["post-105944","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-and-cyber-alerts"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Threat Analysis: SAP Vulnerability in the Wild by Chinese Threat Actor<\/title>\n<meta name=\"description\" content=\"Forescout\u2019s Vedere Labs research and threat hunting team analyzes SAP vulnerability (CVE-2025-31324) in the wild.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Analysis: SAP Vulnerability in the Wild by Chinese Threat Actor\" \/>\n<meta property=\"og:description\" content=\"Forescout\u2019s Vedere Labs research and threat hunting team analyzes SAP vulnerability (CVE-2025-31324) in the wild.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/\" \/>\n<meta property=\"og:site_name\" content=\"Forescout\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ForescoutTechnologies\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-08T04:15:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-08T11:19:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Sai Molige, Luca Barba, Forescout Research - Vedere Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Forescout\" \/>\n<meta name=\"twitter:site\" content=\"@Forescout\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/\"},\"author\":{\"name\":\"Sai Molige\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9\"},\"headline\":\"Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat Actor\",\"datePublished\":\"2025-05-08T04:15:36+00:00\",\"dateModified\":\"2025-05-08T11:19:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/\"},\"wordCount\":1746,\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp\",\"articleSection\":[\"Research &amp; Cyber Alerts\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/\",\"url\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/\",\"name\":\"Threat Analysis: SAP Vulnerability in the Wild by Chinese Threat Actor\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp\",\"datePublished\":\"2025-05-08T04:15:36+00:00\",\"dateModified\":\"2025-05-08T11:19:34+00:00\",\"description\":\"Forescout\u2019s Vedere Labs research and threat hunting team analyzes SAP vulnerability (CVE-2025-31324) in the wild.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#primaryimage\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp\",\"width\":1200,\"height\":628},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.forescout.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat Actor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.forescout.com\/#website\",\"url\":\"https:\/\/www.forescout.com\/\",\"name\":\"Forescout\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.forescout.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.forescout.com\/#organization\",\"name\":\"Forescout Technologies, Inc.\",\"url\":\"https:\/\/www.forescout.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Forescout Technologies, Inc.\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/ForescoutTechnologies\",\"https:\/\/x.com\/Forescout\",\"https:\/\/www.instagram.com\/forescouttechnologies\/\",\"https:\/\/www.linkedin.com\/company\/forescout-technologies\",\"https:\/\/www.youtube.com\/user\/forescout1\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9\",\"name\":\"Sai Molige\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/image\/969ddeee0c69c8cd3d20666775276a76\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g\",\"caption\":\"Sai Molige\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat Analysis: SAP Vulnerability in the Wild by Chinese Threat Actor","description":"Forescout\u2019s Vedere Labs research and threat hunting team analyzes SAP vulnerability (CVE-2025-31324) in the wild.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/","og_locale":"en_US","og_type":"article","og_title":"Threat Analysis: SAP Vulnerability in the Wild by Chinese Threat Actor","og_description":"Forescout\u2019s Vedere Labs research and threat hunting team analyzes SAP vulnerability (CVE-2025-31324) in the wild.","og_url":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/","og_site_name":"Forescout","article_publisher":"https:\/\/www.facebook.com\/ForescoutTechnologies","article_published_time":"2025-05-08T04:15:36+00:00","article_modified_time":"2025-05-08T11:19:34+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp","type":"image\/webp"}],"author":"Sai Molige, Luca Barba, Forescout Research - Vedere Labs","twitter_card":"summary_large_image","twitter_creator":"@Forescout","twitter_site":"@Forescout","twitter_misc":{"Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#article","isPartOf":{"@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/"},"author":{"name":"Sai Molige","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9"},"headline":"Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat Actor","datePublished":"2025-05-08T04:15:36+00:00","dateModified":"2025-05-08T11:19:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/"},"wordCount":1746,"publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp","articleSection":["Research &amp; Cyber Alerts"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/","url":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/","name":"Threat Analysis: SAP Vulnerability in the Wild by Chinese Threat Actor","isPartOf":{"@id":"https:\/\/www.forescout.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#primaryimage"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp","datePublished":"2025-05-08T04:15:36+00:00","dateModified":"2025-05-08T11:19:34+00:00","description":"Forescout\u2019s Vedere Labs research and threat hunting team analyzes SAP vulnerability (CVE-2025-31324) in the wild.","breadcrumb":{"@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#primaryimage","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp","width":1200,"height":628},{"@type":"BreadcrumbList","@id":"https:\/\/www.forescout.com\/blog\/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.forescout.com\/"},{"@type":"ListItem","position":2,"name":"Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat Actor"}]},{"@type":"WebSite","@id":"https:\/\/www.forescout.com\/#website","url":"https:\/\/www.forescout.com\/","name":"Forescout","description":"","publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.forescout.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.forescout.com\/#organization","name":"Forescout Technologies, Inc.","url":"https:\/\/www.forescout.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","width":1,"height":1,"caption":"Forescout Technologies, Inc."},"image":{"@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ForescoutTechnologies","https:\/\/x.com\/Forescout","https:\/\/www.instagram.com\/forescouttechnologies\/","https:\/\/www.linkedin.com\/company\/forescout-technologies","https:\/\/www.youtube.com\/user\/forescout1"]},{"@type":"Person","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9","name":"Sai Molige","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/image\/969ddeee0c69c8cd3d20666775276a76","url":"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g","caption":"Sai Molige"}}]}},"featured_media_url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/05\/Blog-SAP-Vuln-feature-V1-070525.webp","is_file":false,"excerpt_manually_set":true,"_links":{"self":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/105944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/users\/181"}],"replies":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/comments?post=105944"}],"version-history":[{"count":0,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/105944\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media\/105967"}],"wp:attachment":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media?parent=105944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/categories?post=105944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/tags?post=105944"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/coauthors?post=105944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}