- BianLian, RansomEXX, and others, are jumping the NetWeaver bandwagon
- In late April, SAP fixed a 10/10 bug in NetWeaver Visual Composer Metadata Uploader
- Researchers claim there are 1,200 vulnerable instances
Multiple ransomware operators are trying to take advantage of the recently discovered, maximum severity flaw, affecting SAP NetWeaver Visual Composer. This is according to, among others, ReliaQuest, a cybersecurity company that also reported on the initial flaw.
In late April, security researchers reported that more than 1,200 SAP instances were at risk of being hijacked, due to a maximum severity vulnerability found in NetWeaver Visual Composer’s Metadata Uploader component.
The bug stems from the fact that the uploader was not protected with proper authorization, allowing unauthenticated actors to upload malicious executables.
Multiple critical flaws
The bug is tracked as CVE-2025-31324, and despite SAP releasing a patch rather fast, multiple in-the-wild attacks were spotted.
Now, ReliaQuest said it saw evidence suggesting involvement from BianLian and RansomEXX, two known ransomware families. Other researchers also claim Chinese state-sponsored actors were in on the action, as well. “We assess with moderate confidence that BianLian was involved in at least one incident,” ReliaQuest said. “In a separate incident, we observed the deployment of “PipeMagic,” a modular backdoor linked to RansomEXX.”
The researchers also said that the miscreants moved fast, with the malware being deployed “just hours after global exploitation”.
Earlier this week, SAP patched a separate, also critical, zero-day vulnerability in NetWeaver server. This one, it said, was being chained in attacks targeting some of the world’s biggest enterprises. It is tracked as CVE-2025-42999, and carries a severity score of 9.1/10 (critical). Also discovered in the NetWeaver Visual Composer Metadata Uploader, the bug allows a privileged user to upload untrusted or malicious content which, “when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.”
SAP said it found this bug when analyzing the maximum severity one. Both were allegedly being abused in attacks since January 2025.
Via BleepingComputer
Leave a comment