The largest groups of extortionists began to actively operate vulnerability at SAP NETWEAVER, which received the identifier cve-2025-31324 and assessment of CVSS: 10.0. With its help, attackers can download malicious files to servers without authentication, which opens the way to remote code execution and complete compromise of the systems.
SAP released an emergency update on April 24, just a few days after Reliaquest experts recorded the active use of vulnerability in real attacks. Today, Reliaquest reported that Ransomexx and Bianlian extortion programs joined the operation of vulnerabilities. Although the encryptions have not yet been successfully involved, this signals an increase in interest from cybercriminals in Netweaver.
by data redaquest, The Bianlian group was associated with at least one incident. Communication is established on the basis of IP addresses previously used in the infrastructure of the team. The Ransomexx attack used Pipemagic Backdor, as well as Windows CLFS vulnerability (CVE-2025-29824), known for the past campaigns of this group. The initial attempt to expand the malicious software through the weblles Helper.jsp and Cache.jsp ended in failure, but later the hackers took advantage of the Brute Ratel Freimvorka, introducing it through the inline gear of msbuild.
In parallel with this, the attacks continue to cyberggroups associated with China. The activity of the Chaia_004 group was recorded, and eClecticiq