BianLian and RansomExx Leverage SAP NetWeaver Vulnerability to Implement PipeMagic Trojan

At least two distinct cybercriminal organizations, BianLian and RansomExx, are reported to have exploited a security vulnerability in SAP NetWeaver, designated as CVE-2025-31324. This incident highlights that multiple threat actors are leveraging this vulnerability for malicious purposes.

Recent findings from a cybersecurity firm unveiled strong evidence suggesting engagement from the BianLian data extortion group alongside the RansomExx ransomware family, which is tracked by Microsoft under the identifier Storm-2460. Analysis indicates that BianLian is likely involved in at least one incident, supported by connections to previously identified IP addresses associated with the group.

ReliaQuest’s investigation revealed a server at an IP address known for hosting reverse proxy services initiated by the rs64.exe executable. This server is linked to another address that has been flagged as a command-and-control (C2) server connected to BianLian, sharing identical certificates and ports.

Moreover, the deployment of a plugin-based trojan, identified as PipeMagic, has been observed. This trojan was recently associated with a zero-day exploitation targeting a privilege escalation vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS), with attacks aimed at entities in the United States, Venezuela, Spain, and Saudi Arabia.

These attacks have involved the delivery of the PipeMagic trojan through web shells resulting from the exploitation of the SAP NetWeaver flaw. Although initial attack attempts were unsuccessful, subsequent attempts utilized the Brute Ratel C2 framework through inline MSBuild task execution, which led to the spawning of a dllhost.exe process, indicating exploitation of the CLFS vulnerability.

These revelations coincide with recent disclosures from another cybersecurity entity, which noted that several Chinese hacking groups, tracked as UNC5221, UNC5174, and CL-STA-0048, actively exploit CVE-2025-31324 to deploy various malicious payloads.

In addition, cybersecurity firm Onapsis has confirmed that threat actors have been exploiting CVE-2025-31324 in conjunction with a deserialization flaw within the same component (CVE-2025-42999) since March 2025. The latest patch addresses the root cause of CVE-2025-31324.

The distinctions between CVE-2025-31324 and CVE-2025-42999 appear minimal; both vulnerabilities allow for potential exploitation by authenticated and unauthenticated users in a comparable manner. While CVE-2025-42999 supposedly requires higher privileges, CVE-2025-31324 provides unrestricted system access. Consequently, the remediation guidance remains consistent for both CVEs.