Close Menu
World Forbes – Business, Tech, AI & Global Insights
  • Home
  • AI
  • Billionaires
  • Business
  • Cybersecurity
  • Education
    • Innovation
  • Money
  • Small Business
  • Sports
  • Trump
What's Hot

What to know about the dating app Tea and its hacked data

July 26, 2025

If you don’t have diabetes, do you really need a continuous glucose monitor?

July 26, 2025

Blue Ivy shines on stage during Beyoncé’s Cowboy Carter tour

July 26, 2025
Facebook X (Twitter) Instagram
Trending
  • What to know about the dating app Tea and its hacked data
  • If you don’t have diabetes, do you really need a continuous glucose monitor?
  • Blue Ivy shines on stage during Beyoncé’s Cowboy Carter tour
  • Judge pauses cancellation of humanities grants
  • African Americans move to Kenya to connect with heritage and culture
  • ‘South Park’ Creators Trey Parker and Matt Stone Are Now Billionaires
  • How Jeffrey Epstein Got So Rich
  • Despite rainy weather, Catholics in a Paraguayan town dress as birds to honor their patron saint
World Forbes – Business, Tech, AI & Global InsightsWorld Forbes – Business, Tech, AI & Global Insights
Sunday, July 27
  • Home
  • AI
  • Billionaires
  • Business
  • Cybersecurity
  • Education
    • Innovation
  • Money
  • Small Business
  • Sports
  • Trump
World Forbes – Business, Tech, AI & Global Insights
Home » Ransomware Groups, Chinese APTs Exploit Recent SAP NetWeaver Flaws
Cybersecurity

Ransomware Groups, Chinese APTs Exploit Recent SAP NetWeaver Flaws

adminBy adminMay 15, 2025No Comments4 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email
Post Views: 36


At least two ransomware groups and multiple Chinese APTs have been observed targeting two vulnerabilities that were recently patched in SAP NetWeaver.

The issues, tracked as CVE-2025-31324 (CVSS score of 10) and CVE-2025-42999 (CVSS score of 9.1), impact NetWeaver’s Visual Composer development server component and can be exploited by remote attackers to execute arbitrary code without authentication.

In-the-wild attacks have been ongoing since January, with threat actors targeting the bugs to deploy webshells that were then abused for follow-up activities. Opportunistic attackers were also seen targeting the webshells deployed during the initial, zero-day attacks.

SAP initially rolled out patches for CVE-2025-31324 on April 24. It updated the initial security note and also addressed CVE-2025-42999 this week, as part of its May 2025 Security Patch Day.

On May 8, Forescout warned that a Chinese threat actor tracked as Chaya_004 has targeted vulnerable NetWeaver instances since April 29, but EclecticIQ on Tuesday warned that multiple Chinese APTs exploited the two flaws in April against critical infrastructure networks.

Chinese APT activity

“EclecticIQ analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units including UNC5221, UNC5174, and CL-STA-0048, based on threat actor tradecraft patterns. Mandiant and Palo Alto researchers assess that these groups connect to China’s Ministry of State Security (MSS) or affiliated private entities,” the cybersecurity firm notes.

An unclassified Chinese group has used a mass reconnaissance tool to identify 581 NetWeaver servers backdoored with webshells and 1,800 domains running NetWeaver. It likely targeted government, gas and oil, waste management, and advanced medical device manufacturing entities in the UK, US, and Saudi Arabia.

Advertisement. Scroll to continue reading.

CL-STA-0048, seen last year exploiting an Ivanti CSA zero-day, was observed issuing thousands of malicious commands to compromised NetWeaver instances, for network-level discovery and SAP-specific application mapping, likely in preparation for lateral movement.

UNC5221 was seen abusing a webshell to execute remote commands and fetch from an AWS S3 infrastructure the Rust-based malware loader KrustyLoader, which is typically used for dropping Sliver backdoors. The loader was previously seen in Ivanti VPN zero-day attacks earlier this year.

UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse. The hacking group likely operates as an initial access broker.

“EclecticIQ analysts assess with high confidence that China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally,” the security firm notes.

Ransomware activity

On Wednesday, ReliaQuest, which discovered CVE-2025-31324, warned that the ransomware groups BianLian and RansomEXX have been involved in the exploitation of vulnerable NetWeaver servers.

“We assess with moderate confidence that BianLian was involved in at least one incident,” the cybersecurity firm notes after linking an IP address to a command-and-control (C&C) server used by the ransomware gang.

First observed in attacks in June 2022, BianLian was seen targeting critical infrastructure organizations and private entities in the US and abroad. The group has been stealing victim data, using it for extortion.  

It is worth noting that BianLian has not been active for more than a month, and that its Tor-based leak has been inaccessible since March 31. Security researcher Dominic Alvieri has told SecurityWeek that BianLian and other ransomware groups may be in the process of “reshuffling”.

RansomEXX, also tracked as Storm-2460, is known for using the modular backdoor named PipeMagic. ReliaQuest observed the deployment of a PipeMagic sample beaconing to a known RansomEXX domain.

The infection occurred within hours after the mass exploitation of webshells deployed on compromised NetWeaver instances started and involved the use of the Brute Ratel C2 framework.

“The involvement of groups like BianLian and RansomEXX reflects the growing interest in weaponizing high-profile vulnerabilities for financial gain. These developments emphasize the urgent need for organizations to immediately apply patches, monitor suspicious activity, and strengthen defenses,” ReliaQuest says.

“May 2025’s SAP Patch Day highlights several serious vulnerabilities in legacy UI components, authorization frameworks, and interface layers. With two CVEs at or near the maximum CVSS score, and multiple system-level flaws, timely patching is imperative. Organizations are encouraged to perform thorough system reviews, deprecate outdated Java-based components (such as those in Live Auction Cockpit), and adopt SAP’s recommended hardening practices,”  Pathlock security analyst Jonathan Stross said in an emailed comment.

Related: SAP Patches Another Exploited NetWeaver Vulnerability

Related: SAP Zero-Day Targeted Since January, Many Sectors Impacted

Related: Fortinet Patches Zero-Day Exploited Against FortiVoice Appliances

Related: Ivanti Patches Two EPMM Zero-Days Exploited to Hack Customers



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
admin
  • Website

Related Posts

O2 Service Vulnerability Exposed User Location

May 20, 2025

Madhu Gottumukkala Officially Announced as CISA Deputy Director

May 20, 2025

BreachRx Lands $15 Million as Investors Bet on Breach-Workflow Software

May 19, 2025

Printer Company Procolored Served Infected Software for Months

May 19, 2025

UK Legal Aid Agency Finds Data Breach Following Cyberattack

May 19, 2025

480,000 Catholic Health Patients Impacted by Serviceaide Data Leak

May 19, 2025
Add A Comment
Leave A Reply Cancel Reply

Don't Miss
Billionaires

‘South Park’ Creators Trey Parker and Matt Stone Are Now Billionaires

July 25, 2025

After signing a new $1.5 billion deal with Paramount, Trey Parker and Matt Stone are…

How Jeffrey Epstein Got So Rich

July 25, 2025

Vanta Raises Funds At $4 Billion Valuation—Despite Not Needing Cash

July 23, 2025

Former Citigroup Chair Sandy Weill’s New $100 Million Gift To Harness AI For A West Coast Cancer Hub

July 23, 2025
Our Picks

What to know about the dating app Tea and its hacked data

July 26, 2025

If you don’t have diabetes, do you really need a continuous glucose monitor?

July 26, 2025

Blue Ivy shines on stage during Beyoncé’s Cowboy Carter tour

July 26, 2025

Judge pauses cancellation of humanities grants

July 25, 2025

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

About Us
About Us

Welcome to World-Forbes.com
At World-Forbes.com, we bring you the latest insights, trends, and analysis across various industries, empowering our readers with valuable knowledge. Our platform is dedicated to covering a wide range of topics, including sports, small business, business, technology, AI, cybersecurity, and lifestyle.

Our Picks

After Klarna, Zoom’s CEO also uses an AI avatar on quarterly call

May 23, 2025

Anthropic CEO claims AI models hallucinate less than humans

May 22, 2025

Anthropic’s latest flagship AI sure seems to love using the ‘cyclone’ emoji

May 22, 2025

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

Facebook X (Twitter) Instagram Pinterest
  • Home
  • About Us
  • Advertise With Us
  • Contact Us
  • DMCA Policy
  • Privacy Policy
  • Terms & Conditions
© 2025 world-forbes. Designed by world-forbes.

Type above and press Enter to search. Press Esc to cancel.