Chinese hackers behind attacks targeting SAP NetWeaver servers

Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. SAP released an out-of-band emergency patch on April 24 to address this unauthenticated file upload security flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer, days after cybersecurity company ReliaQuest first detected the vulnerability being targeted in attacks. Successful exploitation enables unauthenticated attackers to upload malicious files without logging in, allowing them to gain remote code execution and potentially leading to complete system compromise. ReliaQuest reported that multiple customers' systems were breached through unauthorized file uploads on SAP NetWeaver, with the threat actors uploading JSP web shells to public directories, as well as the Brute Ratel red team tool in the post-exploitation phase of their attacks. The compromised SAP NetWeaver servers were fully patched, i ... Read full article.