Ransomware Operators and Chinese APTs Exploiting SAP NetWeaver Vulnerabilities

Ransomware groups and Chinese state-sponsored APTs are actively exploiting two critical vulnerabilities in SAP NetWeaver's Visual Composer component: CVE-2025-31324 (CVSS 10) and CVE-2025-42999 (CVSS 9.1).  

These flaws allow unauthenticated remote code execution, enabling attackers to deploy webshells for persistent access, Security Week reports. Exploitation has been ongoing since January 2025, with opportunistic actors also leveraging previously installed webshells.  

SAP released patches for CVE-2025-31324 on April 24 and addressed CVE-2025-42999 in its May 2025 Security Patch Day. Notably, Chinese APTs such as UNC5221, UNC5174, and CL-STA-0048 have been linked to these intrusions, targeting critical infrastructure sectors across the UK, US, and Saudi Arabia.  

Additionally, ransomware groups BianLian and RansomEXX have exploited these vulnerabilities, though no ransomware payloads have been confirmed. Organizations are urged to apply the latest SAP patches promptly to mitigate these threats.

Takeaway: The Time-to-Exploit (TTE) window isn’t just shrinking—it’s collapsing. What used to be weeks is now days, sometimes hours. You blink after a CVE drops and someone’s already got a working exploit in the wild.  

Threat actors are moving like a startup with fresh VC funding—they are fast, agile, and focused on taking advantage of vulnerabilities, while most targeted orgs are still trying to figure out who owns the app or device, whether it’s in their environment, and then whether or not they need to patch it.

And here’s the kicker: ransomware crews aren’t just playing the same old game anymore, they’re increasingly borrowing straight from the APT playbook—zero-days, custom tooling, layered C2, stealthy lateral movement. The line between a government op and a for-profit extortion crew? Blurred to hell. It's all just cyber ops now.

This isn’t a world where check-the-box security works. You can’t rely on annual audits and patch cycles anymore. You need real-time intel, automation, and tools that actually fight back, not just alert you while everything burns.  

Because in today’s landscape, it’s about resilience and outpacing an enemy that doesn’t sleep, doesn’t care, and isn’t playing by the old rules. This isn’t simple IT security anymore, it’s more like live combat where the adversary always has a slight advantage.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.