China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
Essential information
- Published
- 14/05/2025 17:09
- Modified
- 21/05/2025 19:53
- Tags
- 2025-05-14 apt azure ad china-nexus clsta0048 cve202531324 krustyloader sap netweaver sliver snowlight sta-0048 unc5174 vshell webshell
- Related entities
- 10 vulnerabilities (cve), 61 observables, 1 intrusion sets (apt), 5 techniques (mitre), 2 malware, 1 others
Description
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (10)
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with …
- Attack vector
- Network
- Published
- 09/10/2024
- Modified
- 21/12/2025
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
- Attack vector
- NETWORK
- Published
- 08/10/2024
- Modified
- 21/12/2025
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can …
- Attack vector
- Network
- Published
- 09/10/2024
- Modified
- 21/12/2025
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …
- Attack vector
- Network
- Published
- 19/09/2024
- Modified
- 21/12/2025
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …
- Attack vector
- Network
- Published
- 15/07/2024
- Modified
- 21/12/2025
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …
- Attack vector
- Network
- Published
- 22/02/2024
- Modified
- 28/02/2026
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
Observables (61)
-
96.9.124.89 -
65.20.81.172 -
64.95.11.95 -
62.234.24.38 -
52.185.157.28 -
45.77.119.13 -
45.61.137.162 -
45.155.222.14 -
27.25.148.183 -
23.95.123.5 -
215.204.56.106 -
212.192.15.213
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Techniques (MITRE) (5)
Malware (2)
-
Family
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Others (1)
-
Critical Infrastructure