Ransomware Groups Exploit SAP NetWeaver Flaw for Remote Code Execution
Two ransomware gangs, RansomEXX and BianLian, have joined widespread attacks on unpatched SAP NetWeaver systems. These attacks exploit CVE-2025-31324, a maximum-severity vulnerability allowing unauthenticated remote file uploads, leading to full remote code execution.
SAP released emergency patches on April 24 to fix the flaw in the NetWeaver Visual Composer. The issue had already been under active exploitation, as first observed by cybersecurity firm ReliaQuest.
Ransomware Activity Confirmed, but Payloads Not Yet Deployed
According to a May 14 advisory update from ReliaQuest, both ransomware operations are actively involved in exploiting the vulnerability, though no ransomware payloads have yet been successfully deployed.
“Continued analysis has uncovered evidence suggesting involvement from the Russian ransomware group ‘BianLian’ and the operators of the ‘RansomEXX’ ransomware family (tracked by Microsoft as ‘Storm-2460’),” ReliaQuest said.
The BianLian group was tied to at least one incident via a previously known command-and-control (C2) server IP address. In the case of RansomEXX, attackers used the gang’s PipeMagic modular backdoor and also exploited CVE-2025-29824, a known Windows CLFS vulnerability.
“The malware was deployed just hours after global exploitation involving the helper.jsp and cache.jsp webshells. Although the initial attempt failed, a subsequent attack involved the deployment of the Brute Ratel C2 framework using inline MSBuild task execution,” ReliaQuest noted.
Chinese APTs Also Exploiting the Same SAP Weakness
The same NetWeaver vulnerability is being actively used by China-based advanced persistent threat (APT) groups, according to Forescout Vedere Labs and EclecticIQ.
Forescout attributed part of the activity to a group it tracks as Chaya_004. EclecticIQ additionally linked the exploitation to UNC5221, UNC5174, and CL-STA-0048—all China-aligned actors.
Evidence from one attacker’s exposed server showed 581 SAP NetWeaver instances were already compromised, including systems tied to critical infrastructure in the U.K., U.S., and Saudi Arabia. An additional 1,800 domains appear to be targeted next.
“Persistence backdoor access to these systems provides a foothold for China-aligned APTs, potentially enabling strategic objectives of the People’s Republic of China (PRC), including military, intelligence, or economic advantage,” said Forescout.
They warned that many affected SAP systems were linked to industrial control systems (ICS), posing lateral movement risks and long-term espionage threats.
SAP Issues Additional Patch for Chained Zero-Day Exploit
SAP has also patched another NetWeaver vulnerability, CVE-2025-42999, on May 13. This flaw had been exploited alongside CVE-2025-31324 since March, enabling remote command execution.
Urgent Action Required to Secure SAP NetWeaver Environments
SAP administrators are advised to:
- Immediately apply the latest patches
- Disable Visual Composer if patching isn’t possible
- Restrict access to metadata uploader services
- Monitor systems for suspicious behavior
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog. Federal agencies are required to apply mitigations by May 20, under Binding Operational Directive 22-01.
