Ransomware Groups Engage in Ongoing Attacks Targeting SAP NetWeaver Systems

Ransomware groups have intensified their activities, joining existing attacks on SAP NetWeaver platforms by exploiting a critical vulnerability that enables remote code execution on unprotected servers.

SAP recently released urgent patches on April 24 to mitigate the vulnerability within the NetWeaver Visual Composer that permits unauthenticated file uploads, referenced as CVE-2025-31324. This patch came shortly after cybersecurity firm ReliaQuest identified the vulnerability as actively being exploited in the wild.

If successfully exploited, this flaw allows unauthorized actors to upload malicious files without needing login credentials, potentially leading to a full system takeover.

In a follow-up advisory, ReliaQuest disclosed that the ransomware groups RansomEXX and BianLian are now participating in these ongoing attacks. However, reports indicate that no ransomware payloads have been successfully deployed as of yet.

ReliaQuest noted that evidence links the Russian ransomware group BianLian to these exploitation attempts, with a “moderate confidence” connection based on an IP address previously associated with one of its command-and-control servers.

In incidents attributed to RansomEXX, attackers utilized the gang’s PipeMagic modular backdoor and leveraged another vulnerability, CVE-2025-29824, which pertains to Windows CLFS, that has been exploited in earlier events linked to this group.

The cybersecurity firm reported that the malware was deployed shortly after initial exploitation attempts involving specific webshells failed. A subsequent attack successfully utilized the Brute Ratel C2 framework through inline MSBuild task execution.

Recent investigations by Forescout Vedere Labs have further identified these ongoing attacks as being linked to a Chinese threat actor known as Chaya_004. Additionally, three Chinese APTs, UNC5221, UNC5174, and CL-STA-0048, are reportedly exploiting the same vulnerability to target unpatched NetWeaver instances.

According to Forescout, the attackers have backdoored at least 581 SAP NetWeaver instances, which include critical infrastructure in various countries such as the United Kingdom, United States, and Saudi Arabia, and are planning further attacks on an estimated 1,800 domains.

This persistence provides access for China-aligned APTs, which may facilitate strategic objectives tied to military, intelligence, or economic advantages. The compromised systems are also likely interconnected with industrial control system (ICS) networks, posing risks for lateral movement that could lead to service disruptions over time.

Additionally, SAP has also addressed a second NetWeaver vulnerability, CVE-2025-42999, recognized as a zero-day as early as March, which allows for the remote execution of arbitrary commands.

To mitigate these risks, SAP administrators must promptly patch their NetWeaver servers or disable the Visual Composer service if an upgrade is not feasible. It is crucial to restrict access to metadata uploader services and actively monitor for any suspicious activities on their servers.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, mandating that federal agencies secure their servers by May 20, in compliance with Binding Operational Directive 22-01.