Full Report
A newly revealed SAP NetWeaver critical vulnerability, an unauthenticated file upload flaw that allows RCE and tracked as CVE-2025-31324, is being actively exploited by several China-linked nation-state groups to attack critical infrastructure systems. Defenders attribute the observed intrusions to Chinese cyber-espionage groups, which are likely linked to China’s Ministry of State Security (MSS) or its […] The post Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure appeared first on SOC Prime.
Analysis Summary
This summary is based on the limited, albeit contextually rich, information provided regarding CVE-2025-31324.
# Vulnerability: Active Exploitation of SAP Component by China-Nexus APT Groups
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: Undetermined (Severity inferred based on active targeting of Critical Infrastructure)
- CWE: Undetermined
## Affected Systems
- Products: SAP (Likely SAP NetWeaver, based on component references)
- Versions: Unspecified vulnerable versions.
- Configurations: Systems deploying the component `sap.com/devserver_metadataupload_ear`.
## Vulnerability Description
The vulnerability is being actively exploited by Chinese APT groups, specifically targeting critical infrastructure. The exploitation appears related to the endpoint `/developmentserver/metadatauploader` exposed by the component `sap.com/devserver_metadataupload_ear`.
## Exploitation
- Status: Exploited in the wild (Targeted by China-Nexus Adversaries).
- Complexity: Undetermined, but high impact suggests complexity may be irrelevant to determined threat actors.
- Attack Vector: Likely Network (Remote exploitation targeting an exposed web component).
## Impact
- Confidentiality: Highly likely high, given APT targeting.
- Integrity: Highly likely high.
- Availability: Highly likely high, especially in Critical Infrastructure contexts.
## Remediation
### Patches
- Patches are available via **SAP Note #3593336**.
### Workarounds
1. **Remove Component:** The vendor recommends removing the component `sap.com/devserver_metadataupload_ear`.
2. **Access Restriction:** Limit access to `/developmentserver/metadatauploader` strictly to internal, authenticated IP ranges.
3. **Network Blocking:** Block all unauthenticated or public network access to this endpoint using WAF or hardened firewall rules.
## Detection
- **Indicators of Compromise (IOCs):** Focus on anomalous access patterns to `/developmentserver/metadatauploader`.
- **Detection Methods and Tools:** Deploy detection rules and threat intelligence tailored to monitoring traffic against the affected SAP component, especially from unexpected external sources. Proactive threat hunting is essential due to active targeting.
## References
- SAP Note #3593336
- SOC Prime Blog (Defanged): hxxps://socprime.com/blog/detect-chinese-attacks-exploiting-cve-2025-31324/