Chinese State-Backed Hackers Exploit Critical SAP Vulnerability in Global Espionage Campaign

In a significant development that underscores the growing sophistication of nation-state cyber operations, Chinese government-backed hackers have been actively exploiting a critical remote code execution vulnerability in SAP NetWeaver Application Server Java systems, according to multiple cybersecurity sources.

The vulnerability, tracked as CVE-2024-4584, affects SAP NetWeaver Application Server Java 7.5 and has been assigned a critical severity score of 9.8 out of 10 on the CVSS scale. This security flaw allows attackers to execute malicious code remotely without authentication, potentially giving them complete control over affected systems.

According to The Hacker News, the Chinese hacking group known as “Salt Typhoon” (also tracked as APT31, Zirconium, or Judgment Panda) has been exploiting this vulnerability as part of a broader espionage campaign targeting organizations across multiple sectors globally.

“The vulnerability exists due to the way SAP NetWeaver AS Java handles specially crafted HTTP requests, allowing remote attackers to execute arbitrary code on vulnerable installations,” reported BleepingComputer. The publication noted that successful exploitation could lead to “unauthorized access to sensitive data, disruption of business operations, and potential lateral movement within compromised networks.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies patch affected systems by June 3, 2025. This urgent directive highlights the severity of the threat and the active exploitation observed in the wild.

SAP released a patch for the vulnerability on April 9, 2025, as part of its monthly security update. However, as GB Hackers reported, “many organizations have yet to apply the necessary updates, leaving their systems vulnerable to attacks.”

Security researchers have observed the attackers deploying sophisticated post-exploitation tools, including custom malware designed to maintain persistent access to compromised systems while evading detection. According to BleepingComputer, the hackers have been “deploying web shells that provide backdoor access and allow them to execute commands on the compromised servers.”

The targeting pattern suggests a focus on organizations in sectors of strategic interest, including government agencies, defense contractors, technology firms, and critical infrastructure operators. This aligns with previously observed behavior from Chinese state-sponsored threat actors seeking to gather intelligence and intellectual property.

Industry experts emphasize the critical importance of applying SAP’s security patches immediately. “Organizations using SAP NetWeaver AS Java systems should prioritize patching this vulnerability and implement additional security measures such as network segmentation and enhanced monitoring,” advised The Hacker News.

This campaign represents the latest in a series of sophisticated cyber operations attributed to Chinese state-backed actors. As Slashdot noted, “The exploitation of enterprise software vulnerabilities has become a preferred method for advanced persistent threat groups seeking to gain initial access to high-value targets.”

Organizations are advised to implement a defense-in-depth approach, including timely patch management, network segmentation, and advanced threat detection capabilities. Security teams should also review logs for indicators of compromise related to this campaign and conduct thorough investigations if suspicious activity is detected.