SAP NetWeaver, a core enterprise platform, is under active attack. Two dangerous vulnerabilities—CVE-2025-31324 (CVSS 10) and CVE-2025-42999 (CVSS 9.1)—have drawn the attention of ransomware groups and Chinese APTs. These flaws allow remote code execution without needing to log in, exposing thousands of systems worldwide.
Real-World Exploits and Zero-Day Webshells
Since January, attackers have used these bugs to plant webshells on vulnerable systems. These webshells gave them access to internal networks. Opportunistic attackers also joined in, hijacking webshells from earlier zero-day attacks to gain entry.
SAP issued a fix for CVE-2025-31324 on April 24. It followed up with a patch for CVE-2025-42999 during its May 2025 Patch Day. But by then, many systems had already been compromised.
Chinese APTs Move Fast
Security firms Forescout and EclecticIQ say multiple Chinese threat groups exploited the bugs in April. These include UNC5221, UNC5174, and CL-STA-0048. Researchers believe these actors are tied to China’s Ministry of State Security (MSS) or private affiliates.
Using reconnaissance tools, one group scanned the internet and found over 1,800 domains running SAP NetWeaver. More than 580 servers were already backdoored. Their targets? Government agencies, energy firms, and advanced manufacturing companies in the UK, US, and Saudi Arabia.
Group CL-STA-0048, known from the Ivanti zero-day campaign, sent thousands of malicious commands to map networks and SAP apps—likely to prep for deeper access.
UNC5221 used a planted webshell to launch KrustyLoader, a Rust-based tool that delivers the Sliver backdoor. The same tools were used earlier this year in attacks on Ivanti VPN systems.
Meanwhile, UNC5174 deployed a different malware set. This included Snowlight, the VShell remote access trojan, and a custom SSH backdoor known as Goreverse. Researchers believe this group sells access to other criminals.
EclecticIQ warns that Chinese APTs will keep targeting enterprise tools like SAP. Their goal is long-term, stealthy access to critical infrastructure.
Ransomware Gangs Join the Exploits
The SAP bugs also attracted financially motivated attackers. Cybersecurity firm ReliaQuest, which found CVE-2025-31324, reports that two ransomware groups—BianLian and RansomEXX—have already used the exploit.
ReliaQuest links an IP address tied to BianLian’s command server to a recent SAP attack. This group, active since 2022, steals data and extorts victims rather than just encrypting files. However, they’ve gone quiet since March, and their leak site vanished. Some analysts believe the group may be regrouping.
RansomEXX, also known as Storm-2460, deployed a tool called PipeMagic. This modular backdoor was spotted reaching out to a known RansomEXX server. The attackers also used Brute Ratel, a framework that mimics real-world attack techniques to evade detection.
Patch Now or Risk Massive Damage
Security teams stress that this wave of attacks shows a troubling shift. Nation-state hackers and ransomware groups are both racing to exploit the same vulnerabilities.
To reduce risk, organizations should:
- Apply the latest SAP patches immediately
- Monitor exposed NetWeaver servers
- Deprecate outdated components like Java-based Live Auction Cockpit
- Follow SAP’s hardening guidelines
As Jonathan Stross of Pathlock notes, the latest Patch Day addressed major flaws in UI elements, access controls, and interface layers. With multiple CVEs scoring near maximum severity, delayed patching is no longer an option.
