Ransomware Gangs Join Ongoing SAP NetWeaver Attacks

A devastating new wave of cyberattacks has struck SAP NetWeaver servers, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers. Ransomware gangs, including RansomEXX and BianLian, have joined forces with ongoing SAP NetWeaver attacks, taking advantage of the unpatched CVE-2025-31324 flaw.

According to cybersecurity firm ReliaQuest, successful exploitation of this vulnerability allows threat actors to upload malicious files without requiring login credentials, potentially leading to complete system compromise. In an update to their original advisory, ReliaQuest revealed that BianLian and RansomEXX ransomware operations have also joined these attacks, although no ransomware payloads were successfully deployed.

"Continued analysis has uncovered evidence suggesting involvement from the Russian ransomware group 'BianLian' and the operators of the 'RansomEXX' ransomware family (tracked by Microsoft as 'Storm-2460')," ReliaQuest said. "These findings reveal widespread interest in exploiting this vulnerability across multiple threat groups."

ReliaQuest linked BianLian to at least one incident with "moderate confidence" based on an IP address used by the ransomware gang's operators in the past to host one of their command-and-control (C2) servers. In the RansomEXX attacks, the threat actors deployed the gang's PipeMagic modular backdoor and exploited the CVE-2025-29824 Windows CLFS vulnerability abused in previous incidents linked to this ransomware operation.

Chinese hacking groups have also been linked to these ongoing attacks. Forescout Vedere Labs security researchers have identified Chaya_004, a Chinese threat actor, as exploiting the CVE-2025-31324 flaw. EclecticIQ reported that three other Chinese APTs (i.e., UNC5221, UNC5174, and CL-STA-0048) are also targeting NetWeaver instances unpatched against CVE-2025-31324.

Exposed files found in an openly accessible directory on one of these attackers' unsecured servers revealed that Forescout has backdoored at least 581 SAP NetWeaver instances, including critical infrastructure in the United Kingdom, the United States, and Saudi Arabia. The attackers are planning to target another 1,800 domains.

"Persistence backdoor access to these systems provides a foothold for China-aligned APTs, potentially enabling strategic objectives of the People’s Republic of China (PRC), including military, intelligence, or economic advantage," Forescout said. "The compromised SAP systems are also highly connected to internal network of the industrial control system (ICS) which is poses lateral movement risks, that potentially cause service disruption to long-term espionage."

SAP has patched a second NetWeaver vulnerability (CVE-2025-42999) chained in these attacks as a zero-day, and admins are advised to patch their servers or disable the Visual Composer service if an upgrade isn't possible. Restricting access to metadata uploader services and monitoring for suspicious activity on their servers is also highly advisable.

CISA added the CVE-2025-31324 flaw to its Known Exploited Vulnerabilities Catalog two weeks ago, mandating federal agencies to secure their servers by May 20, as required by Binding Operational Directive (BOD) 22-01. The attacks highlight the need for immediate action from SAP administrators and organizations that use NetWeaver servers.

Background: Understanding the Attacks

The attacks are linked to a maximum-severity vulnerability in SAP NetWeaver, CVE-2025-31324, which allows threat actors to gain remote code execution on vulnerable servers. This flaw was first tagged by cybersecurity company ReliaQuest days after it was discovered.

ReliaQuest initially reported that the vulnerability was being exploited by a single threat actor. However, in an update to their advisory, they revealed that RansomEXX and BianLian ransomware gangs have also joined these attacks.

Patching and Defense

SAP has released emergency patches for CVE-2025-31324 on April 24. The company has also patched a second NetWeaver vulnerability (CVE-2025-42999) chained in these attacks as a zero-day.

Admins are advised to patch their servers or disable the Visual Composer service if an upgrade isn't possible. Restricting access to metadata uploader services and monitoring for suspicious activity on their servers is also highly advisable.

Risk and Impact

The attacks highlight the significant risk posed by unpatched vulnerabilities in SAP NetWeaver. The compromised systems, including critical infrastructure in the United Kingdom, the United States, and Saudi Arabia, could pose lateral movement risks, potentially causing service disruption to long-term espionage.

Forescout estimates that over 1,200 SAP NetWeaver servers are vulnerable to actively exploited flaws, while the attackers plan to target another 1,800 domains.