The SAP NetWeaver vulnerability case took an interesting turn Wednesday when the Russian ransomware group BianLian and the operators of RansomEXX were tied to exploitations of the NetWeaver bug.The news of the exploitation by Russian ransomware gangs was in contrast to recent reports by Forescout Vedere Labs that China-based threat groups were involved in the attack chain.The research community has been interested in the SAP NetWeaver bugs since the Shadowserver Foundation reported on April 27 in a Tweet that more than 400 NetWeaver servers were publicly exposed on the open internet.ReliaQuest issued a May 14 update to its original NetWeaver research on CVE-2025-31324 from late April, reporting that BianLian was involved in at least one incident involving the bug in which the threat group was conducting reverse proxy services.In a separate incident, ReliaQuest also found that RansomEXX delivered the modular backdoor malware PipeMagic, which was executed via MSBuild abuse.“CVE-2025-31324 has emerged as a high-value target for threat actors, with multiple groups pursuing opportunistic attacks, likely aiming to deploy ransomware or gain access to sensitive enterprise systems for extortion,” wrote the ReliaQuest researchers. “The involvement of groups like BianLian and RansomEXX reflects the growing interest in weaponizing high-profile vulnerabilities for financial gain.”Security teams were advised to immediately apply the patches issued by SAP. The large enterprise, resource, and planning software maker patched CVE-2025-31324 on April 24 and on May 12, released a patch for a second zero-day it discovered — CVE-2025-42999.Jason Soroko, senior fellow at Sectigo, explained that the second zero-day SAP in NetWeaver Visual Composer, CVE-2025-42999, was uncovered during forensics on the file-upload flaw CVE-2025-31324.Soroko said Onapsis reported that attackers chained a missing-auth check with an insecure deserialization since January, achieving remote code execution as the admin user and widening access to business data. He said the discovery signals that further review of the Visual Composer upload and serialization code is still underway and that additional notes may follow, so customers should expect an accelerated patch cycle through at least Q3 2025. “The takeaway for defenders is that attribution no longer matters,” said Soroko. “The exploit is circulating across both espionage and extortion ecosystems, so every unpatched server is in danger. Treat CVE-2025-31324 as the initial access vector, hunt for Visual Composer web-shell names such as helper.jsp and the PipeMagic callback domain, and watch for outbound traffic to the BianLian proxy range.”Jonathan Stross, an SAP security analyst at Pathlock, added that organizations using SAP NetWeaver Visual Composer should apply this new patch on CVE-2025-42999 in parallel with CVE-2025-31324.“The situation is drawing significant attention, and with APTs now involved, it’s becoming even more alarming,” said Stross. “Nevertheless, we need to stay focused on core cybersecurity fundamentals, such as monitoring unusual SAP-related traffic to public-facing endpoints. Firewalls and traffic inspection aren’t new concepts in IT, and the same rules apply to SAP.”