Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label SAP Bug. Show all posts
Vulnerabilities and Exploits
China CISA IP Address Ransomware SAP Bug Vulnerabilities and Exploits

Ransomware Hackers Target SAP Servers Through Critical Flaw

 


A newly discovered security hole in SAP’s NetWeaver platform is now being misused by cybercriminals, including ransomware gangs. This flaw allows attackers to run harmful commands on vulnerable systems from a distance—without even needing to log in.

SAP issued urgent software updates on April 24 after learning about the flaw, found in NetWeaver’s Visual Composer tool. The weakness, labeled CVE-2025-31324, makes it possible for attackers to upload files containing malware. Once inside, they can take full control of the affected system.

ReliaQuest, a cybersecurity firm that tracked this issue, now says that two known ransomware groups, RansomEXX and BianLian have joined in. Although they haven’t yet successfully launched any ransomware in these cases, their involvement shows that multiple criminal groups are watching this flaw closely.

Investigators linked BianLian to at least one incident using an IP address tied to their past operations. In another case, RansomEXX attackers used a backdoor tool called PipeMagic and also took advantage of a previously known bug in Microsoft’s Windows system (CVE-2025-29824).

Even though their first effort didn’t succeed, the attackers made another attempt using a powerful hacking framework called Brute Ratel. They delivered it using a built-in Microsoft function called MSBuild, which helped them run the attack in a sneaky way.

More recently, security teams from Forescout and EclecticIQ connected this activity to hackers linked to China. These groups, tracked under various names, were also found to be exploiting the same SAP vulnerability. In fact, they managed to secretly install backdoors on at least 581 SAP systems, including some tied to national infrastructure in the US, UK, and Saudi Arabia. Their plans may also include targeting nearly 2,000 more systems soon.

Experts believe these hidden access points could help foreign state-sponsored hackers gather intelligence, interfere with operations, or even achieve military or economic goals. Since SAP systems are often connected to important internal networks, the damage could spread quickly within affected organizations.

SAP has also fixed another weakness (CVE-2025-42999), which had been silently misused since March. To stay safe, system administrators are advised to apply the patches immediately. If they can’t update right away, disabling the Visual Composer tool can help. They should also restrict access to certain features and monitor their systems closely for anything unusual.

The US government’s cyber agency CISA has officially listed this flaw as a known risk. Federal departments were told to patch their systems by May 20 to avoid falling victim.

Read more »
Supply Chain Assaults
Cyber Security SAP Bug Supply Chain Assaults

Supply Chain Assaults Possible Due to Critical SAP Bug

 

SAP security solutions vendor SecurityBridge warns that a critical bug recently addressed in SAP NetWeaver AS ABAP and ABAP Platform might be exploited to launch supply chain assaults. 

The critical bug identified as CVE-2021-38178 with a CVSS score of 9.1, was fixed on the SAP Patch Day in October 2021. SecurityBridge researchers described the vulnerability as an improper authorization issue, which allows threat actors to tamper with transport requests, thus evading quality gates and transmitting code artifacts to production systems. 

Typical SAP production systems exist at the end of a line of systems consisting of SAP instances that are used for development, testing, and sometimes integration. All instances often share a single transport directory, where files needed for deploying changes from development to production are kept.

Transport requests are used to distribute modifications throughout the SAP system line, and once exported, these requests are thought to be unmodifiable. As a result, each new modification would necessitate a new request. However, SecurityBridge uncovered that standard SAP deployments include a program that does allow employees with specific authorization levels to change the header attributes of SAP transport requests. 

As a result, an attacker or a malicious insider with sufficient permissions on an exploited system has a window of opportunity between the export of transport requests and their import into production units, when they could change the release status from ” Released” to ” Modifiable.”

A transport request can be tampered with after it has passed all quality gates, and the attacker could add a payload to be executed after import into a target system, thus opening the door to supply chain attacks.

“Attackers may introduce malicious code into the SAP development stage, unseen, even into requests that have already been imported into the test stage. They could alter the transport request content just before promotion into production, allowing for code execution,” SecurityBridge explained. 

All SAP environments that employ a single transport directory at multiple staging levels are susceptible and organizations are advised to apply the available patches and check for manipulations of transport requests before importing into production.
Read more »
Subscribe to: Posts (Atom)