Summary: A recently disclosed zero day vulnerability in SAP NetWeaver is being actively exploited by multiple Chinese nation-state threat actors, specifically UNC5521, UNC5174, and CL-STA-0048 to target critical infrastructure networks. The vulnerability tracked as CVE-2025-31324 has a CVSS score of 10.0, and is an unauthenticated file upload vulnerability that enables remote code execution (RCE). Research from cybersecurity firm EclecticIQ indicates that targets of the campaign include natural gas distribution networks, water and integrated waste management utilities, and other critical infrastructure sectors in the United States and abroad.
Another vulnerability in NetWeaver (CVE-2025-42999) was also exploited in the wild. Cybersecurity firm Onapsis has indicated that threat actors were chaining both vulnerabilities in attacks since January. It was noted that the combination allowed attackers to remotely execute arbitrary commands without any privileges on the systems.
Analyst Note: WaterISAC is aware that SAP NetWeaver itself is not broadly or directly used as a core system in the water sector. However, SAP technologies built on NetWeaver (such as SAP ERP, SAP S/4HANA, or SAP Utilities) are used by several large water utilities, particularly in areas like asset management, billing and customer service, supply chain and procurement, workforce management, and regulatory compliance reporting. WaterISAC urges members to verify if they use technologies built on SAP NetWeaver and to update their instances to the latest version as soon as possible.
Original Source: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html
Additional Reading:
- China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
- China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide
- SAP patches second zero-day flaw exploited in recent attacks
Mitigation Recommendations:
Related WaterISAC PIRs: 6, 7, 8, 10, 12
