Chinese Hackers Exploit SAP Flaw to Deploy SuperShell

A Chinese state-linked threat actor identified as Chaya_004 has been observed exploiting a critical remote code execution vulnerability in SAP NetWeaver, researchers at Forescout Vedere Labs said in a report released Tuesday. The flaw, tracked as CVE-2025-31324, carries a maximum CVSS severity score of 10.0 and has been under active exploitation since April 29, 2025.

The group is reportedly using the vulnerability to deploy a custom backdoor built in Golang, known as SuperShell. The campaign involves a malicious infrastructure that analysts believe is tied to the advanced persistent threat group. The exploit allows attackers to gain unauthorized access to SAP systems, potentially enabling data theft or system manipulation.

SAP NetWeaver is a widely used enterprise application platform, and the exploitation of such a high-severity flaw raises concerns over the security of critical business operations. Organizations using the platform are advised to apply patches and strengthen monitoring for signs of compromise.