At the very least two totally different cybercrime teams BianLian and RansomExx are mentioned to have exploited a just lately disclosed safety flaw in SAP NetWeaver, indicating that a number of menace actors are profiting from the bug.
Cybersecurity agency ReliaQuest, in a new replace revealed at present, mentioned it uncovered proof suggesting involvement from the BianLian knowledge extortion crew and the RansomExx ransomware household, which is traced by Microsoft underneath the moniker Storm-2460.
BianLian is assessed to be concerned in a minimum of one incident based mostly on infrastructure hyperlinks to IP addresses beforehand recognized as attributed to the e-crime group.
“We recognized a server at 184[.]174[.]96[.]74 internet hosting reverse proxy companies initiated by the rs64.exe executable,” the corporate mentioned. “This server is expounded to a different IP, 184[.]174[.]96[.]70, operated by the identical internet hosting supplier. The second IP had beforehand been flagged as a command-and-control (C2) server related to BianLian, sharing similar certificates and ports.”
ReliaQuest mentioned it additionally noticed the deployment of a plugin-based trojan dubbed PipeMagic, which was most just lately utilized in reference to the zero-day exploitation of a privilege escalation bug (CVE-2025-29824) within the Home windows Frequent Log File System (CLFS) in restricted assaults focusing on entities within the U.S., Venezuela, Spain, and Saudi Arabia.
The assaults concerned the supply of PipeMagic by the use of net shells dropped following the exploitation of the SAP NetWeaver flaw.
“Though the preliminary try failed, a subsequent assault concerned the deployment of the Brute Ratel C2 framework utilizing inline MSBuild process execution,” ReliaQuest mentioned. “Throughout this exercise, a dllhost.exe course of was spawned, signaling exploitation of the CLFS vulnerability (CVE-2025-29824), which the group had beforehand exploited, with this being a brand new try to use it by way of inline meeting.”
The findings come a day after EclecticIQ disclosed that a number of Chinese language hacking teams tracked as UNC5221, UNC5174, and CL-STA-0048 are actively exploiting CVE-2025-31324 to drop numerous malicious payloads.
SAP safety firm Onapsis revealed that menace actors have additionally been exploiting CVE-2025-31324 alongside a deserialization flaw in the identical element (CVE-2025-42999) since March 2025, including the brand new patch fixes the foundation reason for CVE-2025-31324.
“There may be little sensible distinction between CVE-2025-31324 and CVE-2025-42999 so long as CVE-2025-31324 is obtainable for exploitation,” ReliaQuest mentioned in a press release shared with The Hacker Information.
“CVE-2025-42999 signifies larger privileges can be required, nevertheless, CVE-2025-31324 affords full system entry regardless. A menace actor might exploit each vulnerabilities in an authenticated and unauthenticated person in the identical method. Due to this fact, the remediation recommendation is identical for each CVEs.”
