A China-linked threat actor known as Chaya_004 is exploiting a critical vulnerability in SAP NetWeaver, identified as CVE-2025-31324, which allows for remote code execution via a specific endpoint. Forescout Vedere Labs reported that since April 29, 2025, this flaw has led to attacks on numerous SAP systems worldwide across various industries, with the first signs of exploitation noted back in January. Recent activities show multiple threat actors taking advantage of this vulnerability to deploy web shells and mine cryptocurrency.
