China-Nexus SAP NetWeaver exploitation campaigns are actively targeting global critical infrastructure by leveraging CVE-2025-31324, a high-severity vulnerability in SAP NetWeaver systems. The campaigns have drawn urgent attention across threat intelligence circles due to their precision, stealth, and alignment with state-level strategic interests.
Table of Contents
Overview of the CVE-2025-31324 Vulnerability
CVE-2025-31324 is a remote code execution (RCE) flaw in SAP NetWeaver Application Server (AS) Java, allowing unauthenticated attackers to execute arbitrary code with high privileges. The vulnerability exists due to improper input validation in the P4 protocol handler, commonly exposed in default installations of SAP landscapes.
CVSS Score: 9.8 (Critical)
Affected Versions:
- SAP NetWeaver AS Java 7.30–7.50
- SAP Business Suite powered by NetWeaver
Exploitation Method:
- Abuses open TCP port 50004 (P4)
- Executes payload via serialized object streams
- Bypasses standard authentication using malformed requests
China-Nexus Nation-State Actor Tactics
The attack pattern reflects hallmarks of China-aligned APT groups:
- Use of custom backdoors and encrypted payload delivery.
- Beaconing through compromised cloud infrastructure and edge routers.
- Spear-phishing and supply chain compromise for initial access.
TTPs aligned to MITRE ATT&CK:
- Initial Access: T1190 (Exploit Public-Facing Application)
- Execution: T1059.006 (Command and Scripting Interpreter: JavaScript)
- Persistence: T1543.003 (Create or Modify System Process: Windows Service)
- C2: T1071.001 (Web Protocols)
Attack Chain and Exploitation Process
- Reconnaissance:
- Scans for exposed P4 services on enterprise perimeters.
- Cross-checks known SAP installations using internet-wide search tools.
- Exploit Deployment:
- Malformed serialized payloads are delivered via TCP port 50004.
- No authentication needed if P4 is accessible and unpatched.
- Post-Exploitation:
- Installs a lightweight modular loader (written in Go or C++).
- Establishes outbound TLS tunnels to obfuscated command-and-control (C2) endpoints.
- Lateral Movement:
- Leverages compromised SAP credentials and scheduled jobs to pivot within ERP environments.
- Attempts to access SCADA, OT, and ICS systems co-located on flat network segments.
Targeted Sectors and Impacts
The campaign is currently focused on:
- Energy & Utilities (SCADA/ICS integration with SAP for asset management)
- Transportation (ERP systems tied to logistics and port operations)
- Public Sector (Smart city and e-government platforms)
Observed Impacts:
- Data exfiltration of confidential project blueprints.
- Supply chain manipulation via tampering of procurement modules.
- Denial-of-Service (DoS) threats via corruption of internal job schedulers.
Detection Techniques and Indicators
Network-Level Detections:
alert tcp any any -> any 50004 (msg:"SAP P4 Exploit Attempt - CVE-2025-31324"; content:"ACED0005"; depth:10; reference:cve,2025-31324; sid:900001;)
System/Process Observables:
- Suspicious child processes of
jstart.exe - Unusual Java stack traces in
defaultTrace.*logs - Repeated access to
/irj/portalwithout session creation
Known IOCs:
- IP:
45.66.152.112(C2) - File hash:
d83e3a84754bc4bfc0ffccd27bda94a7(loader variant) - Domain:
sapportal-update[.]com
Mitigation and Hardening Recommendations
Immediate Actions:
- Apply SAP Security Note for CVE-2025-31324: Patch ID
3126730. - Disable external access to TCP port 50004 via perimeter firewall rules.
Configuration Hardening:
- Enforce mutual TLS on SAP Dispatcher and P4 protocol layers.
- Limit execution rights of
jlaunch.exeandjstart.exeto service accounts. - Implement strict input sanitization and content inspection for serialized streams.
Monitoring:
- Enable SAP Enterprise Threat Detection (ETD) for suspicious deserialization behavior.
- Integrate NetWeaver logs into SIEM for anomaly-based correlation.
- Regularly validate checksum of critical binaries (
jvm.dll,bootstrp.jar, etc.).
Conclusion: Strategic Defenses Against Nation-State APTs
The China-Nexus SAP NetWeaver exploit campaign underscores the growing convergence between ERP security and national critical infrastructure threats. Organizations must treat ERP systems not just as business systems, but as crown jewels of their cyber defense posture.
A proactive security strategy should include continuous patch management, segmentation of SAP and OT networks, and correlation of SAP telemetry within enterprise SOC platforms.
External Resources: