Chinese APTs Continue Exploitation of SAP NetWeaver Vulnerabilities
Chinese state-linked Advanced Persistent Threat (APT) groups have reportedly continued their aggressive exploitation of critical SAP NetWeaver vulnerabilities, notably CVE-2025-31324 and CVE-2025-42999, into mid-May. Originally disclosed earlier this month, these flaws affect the SAP NetWeaver Visual Composer component and allow attackers to gain unauthorized access, execute arbitrary commands, and deploy persistent backdoors on enterprise systems.
Security researchers have confirmed that the second wave of these exploitations remains active across hundreds of systems worldwide, including in sectors such as energy, telecommunications, finance, and manufacturing. These attacks are not isolated incidents but form part of an increasingly complex and targeted cyberespionage campaign attributed to Chinese nation-state actors. The actors are leveraging these vulnerabilities to infiltrate strategic infrastructure and harvest sensitive data from corporate networks.
Persistent Access Through Sophisticated Tooling
The attackers are utilizing web shells for command-and-control operations and deploying frameworks such as Brute Ratel, an advanced adversary simulation tool often used by red teams. Brute Ratel's use in these campaigns is a strong indicator of the attackers' intent to achieve stealth and maintain long-term persistence within compromised environments.
These tools enable the adversaries to exfiltrate credentials, move laterally across networks, and establish multiple redundant access points. The use of such techniques suggests that the campaign is designed not only for opportunistic data theft but for deep, ongoing espionage efforts aligned with geopolitical objectives.
Impact and Geopolitical Implications
The choice of SAP systems as targets reflects the attackers’ intent to disrupt or gather intelligence from mission-critical enterprise platforms. SAP NetWeaver is widely used across major industries for enterprise resource planning (ERP), and a compromise of these systems can have broad operational, financial, and reputational consequences.
Though Chinese APTs have long been associated with industrial and political espionage, this renewed focus on exploiting high-impact SAP vulnerabilities indicates a shift toward exploiting systemic weaknesses in global digital infrastructure. Experts believe this campaign may be part of a broader effort to create an intelligence advantage in strategic sectors as global tensions continue to rise.
Mitigation and Recommendations
Organizations using SAP NetWeaver are strongly urged to take immediate action by:
- Applying all security patches for CVE-2025-31324 and CVE-2025-42999 released by SAP.
- Monitoring for indicators of compromise (IoCs) such as suspicious web shell activity or Brute Ratel signatures.
- Conducting thorough threat hunting in SAP environments and reviewing access logs for anomalies.
- Isolating and segmenting critical ERP infrastructure from external-facing services to reduce exposure.
As this campaign evolves, coordinated global defense strategies and timely vulnerability management are essential to mitigating the threat posed by sophisticated state-linked cyber adversaries.