At least two different cybercrime groups BianLian and RansomExx are said to have exploited a recently disclosed security flaw in SAP NetWeaver, indicating that multiple threat actors are taking advantage of the bug.
Cybersecurity firm ReliaQuest, in a new update published today, said it uncovered evidence suggesting involvement from the BianLian data extortion crew and the RansomExx ransomware family, which is traced by Microsoft under the moniker Storm-2460.
BianLian is assessed to be involved in at least one incident based on infrastructure links to IP addresses previously identified as attributed to the e-crime group.
“We identified a server at 184[.]174[.]96[.]74 hosting reverse proxy services initiated by the rs64.exe executable,” the company said. “This server is related to another IP, 184[.]174[.]96[.]70, operated by the same hosting provider. The second IP had previously been flagged as a command-and-control (C2) server associated with BianLian, sharing identical certificates and ports.”
ReliaQuest said it also observed the deployment of a plugin-based trojan dubbed PipeMagic, which was most recently used in connection with the zero-day exploitation of a privilege escalation bug (CVE-2025-29824) in the Windows Common Log File System (CLFS) in limited attacks targeting entities in the U.S., Venezuela, Spain, and Saudi Arabia.
The attacks involved the delivery of PipeMagic by means of web shells dropped following the exploitation of the SAP NetWeaver flaw.
“Although the initial attempt failed, a subsequent attack involved the deployment of the Brute Ratel C2 framework using inline MSBuild task execution,” ReliaQuest said. “During this activity, a dllhost.exe process was spawned, signaling exploitation of the CLFS vulnerability (CVE-2025-29824), which the group had previously exploited, with this being a new attempt to exploit it via inline assembly.”
The findings come a day after EclecticIQ disclosed that multiple Chinese hacking groups tracked as UNC5221, UNC5174, and CL-STA-0048 are actively exploiting CVE-2025-31324 to drop various malicious payloads.
SAP security company Onapsis revealed that threat actors have also been exploiting CVE-2025-31324 alongside a deserialization flaw in the same component (CVE-2025-42999) since March 2025, adding the new patch fixes the root cause of CVE-2025-31324.
“There is little practical difference between CVE-2025-31324 and CVE-2025-42999 as long as CVE-2025-31324 is available for exploitation,” ReliaQuest said in a statement shared with The Hacker News.
“CVE-2025-42999 indicates higher privileges would be required, however, CVE-2025-31324 affords full system access regardless. A threat actor could exploit both vulnerabilities in an authenticated and unauthenticated user in the same way. Therefore, the remediation advice is the same for both CVEs.”
