China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
Essential information
- Published
- 14/05/2025 17:09
- Modified
- 21/05/2025 19:53
- Tags
- 2025-05-14 apt azure ad china-nexus clsta0048 cve202531324 krustyloader sap netweaver sliver snowlight sta-0048 unc5174 vshell webshell
- Related entities
- 10 vulnerabilities (cve), 61 observables, 1 intrusion sets (apt), 5 techniques (mitre), 2 malware, 1 others
Description
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (10)
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with …
- Attack vector
- Network
- Published
- 09/10/2024
- Modified
- 21/12/2025
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
- Attack vector
- NETWORK
- Published
- 08/10/2024
- Modified
- 21/12/2025
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can …
- Attack vector
- Network
- Published
- 09/10/2024
- Modified
- 21/12/2025
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …
- Attack vector
- Network
- Published
- 19/09/2024
- Modified
- 21/12/2025
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …
- Attack vector
- Network
- Published
- 15/07/2024
- Modified
- 21/12/2025
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …
- Attack vector
- Network
- Published
- 22/02/2024
- Modified
- 28/02/2026
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
Observables (61)
-
185.165.169.31 -
65.49.235.210 -
138.68.61.82 -
107.175.77.118 -
http://43.247.135.53:10443 -
http://43.247.135.53/10443 -
http://103.30.76.206:443/slt -
aaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com -
trycloudflare.com -
sentinelones.com -
f92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec -
c71da1dfea145798f881afd73b597336d87f18f8fd8f9a7f524c6749a5c664e4
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Techniques (MITRE) (5)
Malware (2)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Others (1)
-
Critical Infrastructure