Update: BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan
Summary:
Recent activity shows that ransomware groups are now exploiting CVE-2025-31324, extending its use beyond the China-linked actors initially associated with the vulnerability. The Russian ransomware group BianLian has been observed using the flaw through reverse proxy infrastructure tied to its known command-and-control servers. In a separate case, operators behind the RansomEXX ransomware, tracked by Microsoft as Storm-2460, deployed their custom PipeMagic backdoor via MSBuild abuse. This campaign included use of the EnumCalendarA callback function and outbound connections to known RansomEXX infrastructure. These intrusions occurred alongside attempts to exploit CVE-2025-29824 through dllhost.exe, incorporating inline assembly techniques previously linked to the group.
Security Officer Comments:
CVE-2025-31324 is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer that enables remote code execution. Initial exploitation involved uploading malicious JSP webshells to the /developmentserver/metadatauploader endpoint. Recent attacks have grown more sophisticated, with threat actors using modular backdoors, Brute Ratel, and evasion techniques such as Heaven’s Gate to maintain persistence and avoid detection.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/05/bianlian-and-ransomexx-exploit-sap.html
Recent activity shows that ransomware groups are now exploiting CVE-2025-31324, extending its use beyond the China-linked actors initially associated with the vulnerability. The Russian ransomware group BianLian has been observed using the flaw through reverse proxy infrastructure tied to its known command-and-control servers. In a separate case, operators behind the RansomEXX ransomware, tracked by Microsoft as Storm-2460, deployed their custom PipeMagic backdoor via MSBuild abuse. This campaign included use of the EnumCalendarA callback function and outbound connections to known RansomEXX infrastructure. These intrusions occurred alongside attempts to exploit CVE-2025-29824 through dllhost.exe, incorporating inline assembly techniques previously linked to the group.
Security Officer Comments:
CVE-2025-31324 is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer that enables remote code execution. Initial exploitation involved uploading malicious JSP webshells to the /developmentserver/metadatauploader endpoint. Recent attacks have grown more sophisticated, with threat actors using modular backdoors, Brute Ratel, and evasion techniques such as Heaven’s Gate to maintain persistence and avoid detection.
Suggested Corrections:
- Review for suspicious files by checking the path “j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/”. Any unauthorized files could indicate malicious webshell activity or exploitation attempts and should be removed before implementing mitigations, as they may remain active and provide the attacker with access.
- Forward SAP NetWeaver logs to a centralized system: Ensure SAP NetWeaver is configured to forward logs to a central monitoring platform, such as a SIEM. Centralized logging enables comprehensive visibility across the environment, aiding in the effective detection of suspicious activities and facilitating faster investigation of potential security incidents.
- Disable the application alias “developmentserver” and configure firewall rules to restrict access to the development server application URL. This URL is targeted in the initial POST request of the exploit, and restricting access can help mitigate a successful attack.
- Disable Visual Composer using filters within SAP NetWeaver. Visual Composer is a tool used for creating user interfaces for applications without traditional coding. However, Visual Composer has been deprecated since 2015 and is no longer supported. Therefore, it is recommended to disable it to mitigate the risk of exploitation.
Link(s):
https://thehackernews.com/2025/05/bianlian-and-ransomexx-exploit-sap.html