Ransomware groups are now also exploiting ongoing attacks on SAP NetWeaver. They are taking advantage of a critical vulnerability that allows attackers to execute code on vulnerable servers remotely.
On April 24, SAP released emergency patches for a security vulnerability in NetWeaver Visual Composer (CVE-2025-31324). This came shortly after security company ReliaQuest reported that attackers were exploiting this vulnerability.
The vulnerability allows attackers to upload files without logging in. This can lead to complete control over the system.
In an update to their earlier warning, ReliaQuest reported that the ransomware groups RansomEXX and BianLian are also involved in these attacks. However, they state that criminals have not yet deployed any ransomware files.
Russian ransomware group active
According to ReliaQuest, further investigation points to the involvement of the Russian group BianLian and the administrators of RansomEXX. Microsoft refers to the latter group as Storm-2460. The findings indicate that several criminal groups are interested in exploiting this vulnerability.
BianLian has been linked to at least one incident with moderate certainty. This conclusion is based on an IP address previously used by the group for its command-and-control server.
In the RansomEXX attacks, the attackers used the PipeMagic backdoor and exploited a known Windows vulnerability (CVE-2025-29824) that had previously been linked to this group.
ReliaQuest stated that the malware was installed shortly after global attacks via webshells such as helper.jsp and cache.jsp. Although the first attempt failed, an attack followed, and the Brute Ratel C2 platform was deployed via inline MSBuild commands.
Also exploited by Chinese hacking groups
Researchers at Forescout Vedere Labs have also linked the attacks to a Chinese action group known as Chaya_004. EclecticIQ reported on Tuesday that three other Chinese APT groups (UNC5221, UNC5174, and CL-STA-0048) are attacking NetWeaver instances that have not yet been patched against CVE-2025-31324.
According to Forescout, at least 581 SAP NetWeaver instances have been backdoored, including systems within critical infrastructure in the UK, the US, and Saudi Arabia. Leaked files reveal plans to attack another 1,800 domains.
Forescout warns that long-term access via these backdoors could enable China to pursue military or economic goals. The affected systems are also often connected to internal industrial control system networks, which poses a risk of further spread and disruption of services.
On Monday, SAP released a patch for a second vulnerability ( CVE-2025-42999), which had been used as a zero-day in combination with previous leaks to execute arbitrary commands since March.
Quick update essential
Administrators are strongly advised to update their SAP NetWeaver servers as soon as possible or disable the Visual Composer component if patching is impossible. It is also wise to restrict access to metadata tools and actively monitor suspicious activity.
The US CISA added CVE-2025-31324 to its list of known exploited vulnerabilities two weeks ago. Government agencies must secure their servers by May 20 at the latest, by directive BOD 22-01.