At least two different cybercrime groups BianLian and RansomExx are said to have exploited a recently disclosed security flaw in SAP NetWeaver tracked as CVE-2025-31324, indicating that multiple threat actors are taking advantage of the bug.
Cybersecurity firm ReliaQuest, in a new update published today, said it uncovered evidence suggesting involvement from the BianLian data extortion crew and the RansomExx ransomware family, which is traced by Microsoft under the moniker Storm-2460.
BianLian is assessed to be involved in at least one incident based on infrastructure links to IP addresses previously identified as attributed to the e-crime group.
"We identified a server at 184[.]174[.]96[.]74 hosting reverse proxy services initiated by the rs64.exe executable," the company said. "This server is related to another IP, 184[.]174[.]96[.]70, operated by the same hosting provider. The second IP had previously been flagged as a command-and-control (C2) server associated with BianLian, sharing identical certificates and ports."
ReliaQuest said it also observed the deployment of a plugin-based trojan dubbed PipeMagic, which was most recently used in connection with the zero-day exploitation of a privilege escalation bug (CVE-2025-29824) in the Windows Common Log File System (CLFS) in limited attacks targeting entities in the U.S., Venezuela, Spain, and Saudi Arabia.
The attacks involved the delivery of PipeMagic by means of web shells dropped following the exploitation of the SAP NetWeaver flaw.
"Although the initial attempt failed, a subsequent attack involved the deployment of the Brute Ratel C2 framework using inline MSBuild task execution," ReliaQuest said. "During this activity, a dllhost.exe process was spawned, signaling exploitation of the CLFS vulnerability (CVE-2025-29824), which the group had previously exploited, with this being a new attempt to exploit it via inline assembly."
The findings come a day after EclecticIQ disclosed that multiple Chinese hacking groups tracked as UNC5221, UNC5174, and CL-STA-0048 are actively exploiting CVE-2025-31324 to drop various malicious payloads.
SAP security company Onapsis revealed that threat actors have also been exploiting CVE-2025-31324 alongside a deserialization flaw in the same component (CVE-2025-42999) since March 2025, adding the new patch fixes the root cause of CVE-2025-31324.
"There is little practical difference between CVE-2025-31324 and CVE-2025-42999 as long as CVE-2025-31324 is available for exploitation," ReliaQuest said in a statement shared with The Hacker News.
"CVE-2025-42999 indicates higher privileges would be required, however, CVE-2025-31324 affords full system access regardless. A threat actor could exploit both vulnerabilities in an authenticated and unauthenticated user in the same way. Therefore, the remediation advice is the same for both CVEs."
Update
In a new analysis, OP Innovate has disclosed that it identified evidence of CVE-2025-31324 (and by extension CVE-2025-42999) being exploited by threat actors tied to the Qilin ransomware operation at least three weeks before details of the bug became public knowledge.
"Weeks before CVE-2025-31324 appeared in public advisories, an attacker exploited the vulnerable Metadata Uploader endpoint within SAP NetWeaver," the Israeli company said. "The attacker uploaded several JSP-based webshells to the SAP IRJ directory."
The attacker is said to have then initiated outbound communication with Cobalt Strike command-and-control (C2) infrastructure, downloaded a reverse SOCKS5 tunneling tool ("rs64c.exe") from the IP address 184[.]174[.]96[.]74. Interestingly, the same indicators of compromise have been attributed by ReliaQuest to the BianLian data extortion group.
"The attacker's use of IP address 184[.]174[.]96[.]74 and the tool rs64c.exe closely matches infrastructure and tools previously associated with Qilin, a Russian-speaking ransomware-as-a-service (RaaS) group," Matan Matalon, CISO and Head of IR at OP Innovate, said.
"In both incidents, the attacker successfully gained initial access and remote code execution by exploiting CVE-2025-31324. However, post-exploitation efforts failed completely in both cases."
The findings reflect the growing interest in weaponizing high-profile vulnerabilities for financial gain, not to mention a widening of cyber intrusions exploiting the SAP NetWeaver flaw.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on Thursday, added CVE-2025-42999 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by June 5, 2025.
(The story was updated after publication to include additional details of the exploitation activity.)
