At least two ransomware groups and multiple Chinese APTs have been observed targeting two vulnerabilities that were recently patched in SAP NetWeaver.
The issues, tracked as CVE-2025-31324 (CVSS score of 10) and CVE-2025-42999 (CVSS score of 9.1), impact NetWeaver’s Visual Composer development server component and can be exploited by remote attackers to execute arbitrary code without authentication.
In-the-wild attacks have been ongoing since January, with threat actors targeting the bugs to deploy webshells that were then abused for follow-up activities. Opportunistic attackers were also seen targeting the webshells deployed during the initial, zero-day attacks.
SAP initially rolled out patches for CVE-2025-31324 on April 24. It updated the initial security note and also addressed CVE-2025-42999 this week, as part of its May 2025 Security Patch Day.
On May 8, Forescout warned that a Chinese threat actor tracked as Chaya_004 has targeted vulnerable NetWeaver instances since April 29, but EclecticIQ on Tuesday warned that multiple Chinese APTs exploited the two flaws in April against critical infrastructure networks.
Chinese APT activity
“EclecticIQ analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units including UNC5221, UNC5174, and CL-STA-0048, based on threat actor tradecraft patterns. Mandiant and Palo Alto researchers assess that these groups connect to China’s Ministry of State Security (MSS) or affiliated private entities,” the cybersecurity firm notes.
An unclassified Chinese group has used a mass reconnaissance tool to identify 581 NetWeaver servers backdoored with webshells and 1,800 domains running NetWeaver. It likely targeted government, gas and oil, waste management, and advanced medical device manufacturing entities in the UK, US, and Saudi Arabia.
CL-STA-0048, seen last year exploiting an Ivanti CSA zero-day, was observed issuing thousands of malicious commands to compromised NetWeaver instances, for network-level discovery and SAP-specific application mapping, likely in preparation for lateral movement.
UNC5221 was seen abusing a webshell to execute remote commands and fetch from an AWS S3 infrastructure the Rust-based malware loader KrustyLoader, which is typically used for dropping Sliver backdoors. The loader was previously seen in Ivanti VPN zero-day attacks earlier this year.
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse. The hacking group likely operates as an initial access broker.
“EclecticIQ analysts assess with high confidence that China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally,” the security firm notes.
Ransomware activity
On Wednesday, ReliaQuest, which discovered CVE-2025-31324, warned that the ransomware groups BianLian and RansomEXX have been involved in the exploitation of vulnerable NetWeaver servers.
“We assess with moderate confidence that BianLian was involved in at least one incident,” the cybersecurity firm notes after linking an IP address to a command-and-control (C&C) server used by the ransomware gang.
First observed in attacks in June 2022, BianLian was seen targeting critical infrastructure organizations and private entities in the US and abroad. The group has been stealing victim data, using it for extortion.
It is worth noting that BianLian has not been active for more than a month, and that its Tor-based leak has been inaccessible since March 31. Security researcher Dominic Alvieri has told SecurityWeek that BianLian and other ransomware groups may be in the process of “reshuffling”.
RansomEXX, also tracked as Storm-2460, is known for using the modular backdoor named PipeMagic. ReliaQuest observed the deployment of a PipeMagic sample beaconing to a known RansomEXX domain.
The infection occurred within hours after the mass exploitation of webshells deployed on compromised NetWeaver instances started and involved the use of the Brute Ratel C2 framework.
“The involvement of groups like BianLian and RansomEXX reflects the growing interest in weaponizing high-profile vulnerabilities for financial gain. These developments emphasize the urgent need for organizations to immediately apply patches, monitor suspicious activity, and strengthen defenses,” ReliaQuest says.
“May 2025’s SAP Patch Day highlights several serious vulnerabilities in legacy UI components, authorization frameworks, and interface layers. With two CVEs at or near the maximum CVSS score, and multiple system-level flaws, timely patching is imperative. Organizations are encouraged to perform thorough system reviews, deprecate outdated Java-based components (such as those in Live Auction Cockpit), and adopt SAP’s recommended hardening practices,” Pathlock security analyst Jonathan Stross said in an emailed comment.
Related: SAP Patches Another Exploited NetWeaver Vulnerability
Related: SAP Zero-Day Targeted Since January, Many Sectors Impacted
Related: Fortinet Patches Zero-Day Exploited Against FortiVoice Appliances
Related: Ivanti Patches Two EPMM Zero-Days Exploited to Hack Customers
