Criticism SAP NetWeaver Vulnerability Now Used in Ransomware Attacks

By Netvora Tech News

---

A critical vulnerability in SAP NetWeaver, initially intended for cyber espionage, is now being exploited by ransomware groups, according to cybersecurity firm ReliaQuest. The vulnerability, identified as CVE-2025-31324, has been used in attacks by the ransomware groups BianLian and RansomEXX.

SAP released an emergency patch on April 24, but misuse of the vulnerability is believed to have started as early as January. "The involvement of groups like BianLian and RansomEXX highlights the growing interest in using high-profile vulnerabilities for financial gain," said ReliaQuest. "These developments underscore the need for organizations to roll out patches promptly, monitor suspicious activity, and sharpen their defenses."

Ransomware Groups and APTs Exploit Vulnerability

Cybersecurity firm EclecticIQ has released an analysis stating that various advanced persistent threats (APTs) linked to China are also exploiting the vulnerability. These groups are actively seeking out vulnerable systems and launching attacks against critical infrastructure systems, including gas distribution networks, water treatment plants, oil companies, and government agencies in the United Kingdom, United States, and Saudi Arabia.

Update for Another Critical SAP NetWeaver Vulnerability

In an earlier update, SAP released a patch for another critical SAP NetWeaver vulnerability (CVE-2025-42999). According to security firm Onapsis, which discovered the issue and reported it to SAP, this update resolves the main cause of CVE-2025-31324.

SAP NetWeaver is a platform for running SAP applications widely used in many business environments.

• ReliaQuest
• EclecticIQ
• Onapsis