- Bianlian, Ransomexx and others are jumping from the Netweaver car
- At the end of April, SAP solved a 10/10 error in Netweaver Visual Composer Metadata Subowner
- The researchers claim that there are 1,200 vulnerable instances
Multiple Ransomware operators are trying to take advantage of the recently discovered maximum gravity failure, which affects the visual composer of SAP Netweaver. This is, among others, Reliakest, a cybersecurity company that also reported on the initial defect.
At the end of April, security researchers reported that more than 1,200 SAP instances ran the risk of being kidnapped, due to a maximum severity vulnerability found in the Netweaver Visual Composer metadata charger component.
The error derives from the fact that the charger was not protected with the appropriate authorization, which allows the non -authenticated actors to load malicious executables.
Multiple critical defects
The error is tracked as CVE-2025-31324, and although SAP releases a quite fast patch, multiple attacks were detected in the flow.
Now, Reliakest said he saw evidence that suggests the participation of Bianlian and Ransomexx, two known ransomware families. Other researchers also claim that Chinese actors sponsored by the State were also in action. “We evaluate with moderate confidence that Bianlian was involved in at least one incident,” Reliakest said. “In a separate incident, we observe the deployment of” Pipemagic “, a modular back door linked to Ransomexx”.
The investigators also said that the criminals moved quickly, and the malware displayed “only a few hours after global exploitation.”
Earlier this week, SAP patch a separate vulnerability, also critical, zero day in Netweaver Server. This, he said, was chained in attacks aimed at some of the world’s largest companies. It is tracked as CVE-2025-42999, and entails a gravity score of 9.1/10 (critic). It is also discovered in the Netweaver Visual composer metadata charger, the error allows a privileged user to load non -reliable or malicious content that, “when deserialing, could lead to a commitment of confidentiality, integrity and availability of the host system.”
SAP said he found this error by analyzing the maximum severity. Both were supposedly abused in attacks since January 2025.
Through Bleepingcomputer
