SAP Netweaver gap: Ransomware groups jump on the bandwagon

The critical vulnerability in SAP Netweaver, which prompted SAP to release updated software outside the regular patch schedule, continues to be attacked in several waves. IT security researchers are now observing that ransomware groups have included the vulnerability in their repertoire.

In a recent analysis, the IT researchers at EclecticIQ classify ransomware attacks observed since the end of April as Chinese APTs (Advanced Persistent Threats). They see the cyber espionage units UNC5221, UNC5174 and CL-STA-0048 behind the attacks, which Palo Alto Networks links to the Chinese Ministry of State Security, for example. The analysis provides insights into the individual attacks and what malware and backdoors the criminals then installed after a successful intrusion.

Reliaquest's analysts have also identified Chinese threat actors. In more recent attacks, however, they have also observed the Russian ransomware gang “BianLian” and the masterminds behind the “RansomEXX” ransomware – which Microsoft lists under the handle “Storm-2460”. RansomEXX distributes a modular backdoor called “PipeMagic”.

Attacks on a global scale

The attacks can be observed worldwide. Criminal groups are abusing the vulnerability in Visual Composer, which allows attackers to upload binary files without prior authentication and thus execute malicious code on vulnerable systems (CVE-2025-31324 / EUVD-2025-11987, CVSS 10.0, risk “critical”).

IT managers who have not yet installed the updated software should update as soon as possible. Both of these analyses also include Indicators of Compromise (IOCs), which admins can use to check whether their systems have been attacked.

At the end of April, SAP issued an emergency update for the security vulnerability in Netweaver, as it was already under active attack. A few days later, there were still hundreds of vulnerable servers on the network.

(dmk)