China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures in UK, U.S., and Saudi Arabia (blog.eclecticiq.com)
from Hotznplotzn@lemmy.sdf.org to cybersecurity@sh.itjust.works on 14 May 13:49
https://lemmy.sdf.org/post/34536054

Archived

China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures, according to a research.

In April 2025, China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer. Actors leveraged CVE-2025-31324 […], an unauthenticated file upload vulnerability that enables remote code execution (RCE). This assessment is based on a publicly exposed directory (opendir) found on attacker-controlled infrastructure, which contained detailed event logs capturing operations across multiple compromised systems.

[…]

EclecticIQ analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units including UNC5221 […], UNC5174 […], and CL-STA-0048 […] based on threat actor tradecrafts patterns. Mandiant and Palo Alto researchers assess that these groups connect to China’s Ministry of State Security (MSS) or affiliated private entities. These actors operate strategically to compromise critical infrastructures, exfiltrate sensitive data, and maintain persistent access across high-value networks worldwide.

[…]

Targets of the campaign were

• natural gas distribution networks, water and integrated waste management utilities in the United Kingdom,

• medical device manufacturing plants oil and gas exploration and production companies in the United States, and

• government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation.

[…]

#cybersecurity