- Bianlian, ransomexx and others, jump the netweaver train
- At the end of April, SAP corrected a 10/10 bug in the metadata downloader of the visual composer of Netweaver
- Researchers say there are 1,200 vulnerable cases
Several ransomware operators are trying to take advantage of the recently discovered maximum severity defect, affecting SAP Netweaver Visual Composer. It is according to, among other things, Liviaquet, a cybersecurity company that also reported on the initial defect.
At the end of April, security researchers said that more than 1,200 cases of SAP were at risk of being diverted, due to a vulnerability of maximum severity found in the component of the metadata download of the visual composer of Netweaver.
The bug follows from the fact that the downloader was not protected by an appropriate authorization, allowing non -authenticated actors to download malicious executables.
Several critical defects
The bug is followed as CVE-2025-31324, and despite SAP freeing a fairly fast patch, several attacks in the jumps have been spotted.
Now Loniaquet said he saw evidence suggesting an involvement of Bianlian and Ransomexx, two families of known ransomware. Other researchers also claim that the Chinese actors sponsored by the State were also in action. “We assess with moderate confidence that Bianlian was involved in at least one incident,” said Reliaquet. “In a separate incident, we observed the deployment of” Pipemagic “, a modular stolen door linked to Ransomexx.”
The researchers also said that the disbelievers moved quickly, the malware being deployed “only a few hours after global operation”.
Earlier this week, SAP corrected a distinct, critical and zero-day vulnerability in the Netweaver server. This one, he said, was chained in attacks targeting some of the largest companies in the world. It is followed as CVE-2025-42999 and carries a gravity score of 9.1 / 10 (criticism). Also discovered in the Visual Metadata Downloader Composer Netweaver, the bug allows a privileged user to download non -reliable or malicious content which, “when it is derived, could potentially lead to a compromise of confidentiality, integrity and availability of the host system”.
SAP said that he had found this bug during the analysis of maximum severity. The two were reportedly mistreated in the attacks since January 2025.
Via Bleeping Compompute
