A newly discovered security hole in SAP’s NetWeaver platform is now being misused by cybercriminals, including ransomware gangs. This flaw allows attackers to run harmful commands on vulnerable systems from a distance—without even needing to log in.
SAP issued urgent software updates on April 24 after learning about the flaw, found in NetWeaver’s Visual Composer tool. The weakness, labeled CVE-2025-31324, makes it possible for attackers to upload files containing malware. Once inside, they can take full control of the affected system.
ReliaQuest, a cybersecurity firm that tracked this issue, now says that two known ransomware groups, RansomEXX and BianLian have joined in. Although they haven’t yet successfully launched any ransomware in these cases, their involvement shows that multiple criminal groups are watching this flaw closely.
Investigators linked BianLian to at least one incident using an IP address tied to their past operations. In another case, RansomEXX attackers used a backdoor tool called PipeMagic and also took advantage of a previously known bug in Microsoft’s Windows system (CVE-2025-29824).
Even though their first effort didn’t succeed, the attackers made another attempt using a powerful hacking framework called Brute Ratel. They delivered it using a built-in Microsoft function called MSBuild, which helped them run the attack in a sneaky way.
More recently, security teams from Forescout and EclecticIQ connected this activity to hackers linked to China. These groups, tr
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.