From CPU-level ransomware to SAP Netweaver attacks are the nature of ransomware attacks that are completely changing the rules of the game and the rules of engagement too. No one where we are heading to. What is SAP NetWeaver? It is a technology platform which includes a variety of components and tools that support application integration, data management, development tools, user interface layers and process orchestration. It acts as a middleware layer to take enterprises ahead in a synchronised way. All pervasive attacks on platform, tool, utility of this nature, being a part of the world’s best known ERP is bound to send shockwaves across the industry.
An unclassified Chinese group has used a mass reconnaissance tool to identify 581 NetWeaver servers backdoored with webshells and 1,800 domains running NetWeaver. It likely targeted government, gas and oil, waste management, and advanced medical device manufacturing entities in the UK, US, and Saudi Arabia. Where did it all began? It was first tagged by Cyber Security company ReliaQuest as targeted in the wild. Days after this announcement SAP released emergency patches on April 24 to address this NetWeaver Visual Composer unauthenticated file upload security flaw (CVE-2025-31324).
Ransomware gangs have joined ongoing SAP NetWeaver attacks, while exploiting the maximum severity vulnerability. This vulnerability allowed threat actors to gain remote code execution on vulnerable servers. What happens in the process? Successful exploitation lets threat actors upload malicious files without requiring login credentials, potentially leading to complete system compromise. The exploitation of critical vulnerabilities by both ransomware operators and state-sponsored actors marks a worrying evolution in the enterprise targeted cyber attacks.
Shortly after SAP released patch in April 2025, ransomware gangs like BianLian and RansomEXX began weaponising the vulnerability, signalling a strategic shift from opportunistic attacks to high value, enterprise specific intrusions. What we see in these attacks is the convergence of cybercrime and cyberespionage. Even before ransomware gangs, Chinese state-backed APTs had already begun targeting unpatched SAP systems. This dual-use exploitation suggests that SAP environments are no longer just business systems; they are now geopolitical and financial attack surfaces.
WHEN RANSOMWARE MEETS ESPIONAGE IN YOUR ERP STACK, PATCH MANAGEMENT ISN’T IT HYGIENE – IT’S NATIONAL SECURITY.
Sanjay Sahay
Have a nice evening.