Ethical Hacking News
Ransomware gangs have taken the SAP NetWeaver system to new extremes by exploiting a maximum-severity vulnerability that allows for remote code execution on vulnerable servers. SAP admins must take immediate action to patch their systems or risk falling victim to these highly sophisticated attacks, which could result in complete system compromise and lateral movement risks.
The SAP NetWeaver system has become a prime target for cybercriminals due to its widespread use in enterprise resource planning. A maximum-severity vulnerability (CVE-2025-31324) allows threat actors to gain remote code execution on vulnerable servers, facilitating recent attacks. Ransomware gangs like RansomEXX and BianLian have joined forces with other attackers to exploit the CVE-2025-31324 flaw in SAP NetWeaver servers. At least 581 SAP NetWeaver instances have been backdoored by attackers, posing significant lateral movement risks to internal networks of industrial control systems. SAP admins are advised to patch their NetWeaver servers immediately or disable the Visual Composer service if an upgrade isn't possible. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, mandating that federal agencies secure their servers by May 20.
SAP NetWeaver, a widely used software solution for enterprise resource planning, has become a prime target for cybercriminals. The latest developments in this ongoing saga highlight the rise of ransomware gangs joining forces with other malicious actors to exploit vulnerabilities in the SAP NetWeaver system.
The recent attacks have been facilitated by a maximum-severity vulnerability (CVE-2025-31324) that allows threat actors to gain remote code execution on vulnerable servers. This vulnerability was first identified by cybersecurity company ReliaQuest, who tagged it as targeted in the wild just days after its initial discovery. SAP released emergency patches for this vulnerability on April 24, but the damage had already been done.
The RansomEXX and BianLian ransomware operations have also joined forces with other attackers to target SAP NetWeaver servers, exploiting the CVE-2025-31324 flaw. No ransomware payloads were successfully deployed in these attacks, but the potential for complete system compromise remains high due to the lack of login credentials required for malicious file uploads.
Further analysis by ReliaQuest has uncovered evidence suggesting that BianLian, a Russian ransomware group, and the operators of the RansomEXX (also known as Storm-2460) have been involved in these attacks. This finding indicates widespread interest among threat groups in exploiting this vulnerability across multiple attack vectors.
In the case of the BianLian operations, ReliaQuest has linked the group to at least one incident based on an IP address used by the ransomware gang's operators to host a command-and-control (C2) server. In contrast, the RansomEXX attacks involved the deployment of the PipeMagic modular backdoor and the exploitation of the CVE-2025-29824 Windows CLFS vulnerability.
The recent surge in attacks targeting SAP NetWeaver has also been linked to Chinese hacking groups, including Chaya_004 and other APTs (Advanced Persistent Threats) identified by EclecticIQ. These attackers have been exploiting the same CVE-2025-31324 flaw as well as other vulnerabilities, such as CVE-2025-42999, which was patched on March 18.
Forescout Vedere Labs security researchers have discovered that at least 581 SAP NetWeaver instances (including critical infrastructure in the United Kingdom, the United States, and Saudi Arabia) have been backdoored by these attackers. Furthermore, the group is planning to target an additional 1,800 domains, leveraging persistence backdoor access to systems.
The compromised SAP systems are highly connected to internal networks of industrial control systems (ICS), which poses lateral movement risks that could potentially cause service disruptions and long-term espionage.
SAP has taken steps to address these vulnerabilities by releasing emergency patches for the affected flaws. However, in light of these ongoing attacks, it is imperative that SAP admins take immediate action to patch their NetWeaver servers or consider disabling the Visual Composer service if an upgrade isn't possible. Restricting access to metadata uploader services and monitoring for suspicious activity on their servers are also highly advisable.
In a bid to assist federal agencies in securing their systems, CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, mandating that these agencies secure their servers by May 20 as per the Binding Operational Directive (BOD) 22-01.
The recent SAP NetWeaver attacks highlight the growing complexity of modern cybersecurity threats. Ransomware gangs are becoming increasingly sophisticated in their tactics, often joining forces with other threat actors to exploit vulnerabilities and achieve their goals. As such, it is crucial that organizations prioritize security measures to protect themselves against these evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Gangs-Take-SAP-NetWeaver-to-New-Extremes-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-ongoing-sap-netweaver-attacks/
https://www.bleepingcomputer.com/news/security/chinese-hackers-behind-attacks-targeting-sap-netweaver-servers/
https://undercodenews.com/ransomware-gangs-exploit-sap-netweaver-flaw-in-surge-of-global-cyberattacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
https://www.cvedetails.com/cve/CVE-2025-31324/
https://nvd.nist.gov/vuln/detail/CVE-2025-29824
https://www.cvedetails.com/cve/CVE-2025-29824/
https://nvd.nist.gov/vuln/detail/CVE-2025-42999
https://www.cvedetails.com/cve/CVE-2025-42999/
https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html
https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html
https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware
Published: Wed May 14 13:54:04 2025 by llama3.2 3B Q4_K_M
