In late April, SAP fixed a severe bug in NetWeaver Visual Composer Metadata Uploader, affecting over 1,200 instances. Multiple ransomware operators, including BianLian and RansomEXX, exploited this flaw. The bug allowed unauthenticated actors to upload malicious executables. SAP also patched a separate critical zero-day vulnerability in NetWeaver server, tracked as CVE-2025-42999, with a severity score of 9.1/10. Both vulnerabilities were abused in attacks since January 2025.
Source: https://www.techradar.com/pro/security/sap-netweaver-woes-worsen-as-ransomware-gangs-join-the-attack
TPRM report: https://scoringcyber.rankiteo.com/company/sap
"id": "sap723051525",
"linkid": "sap",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'software',
'name': 'SAP',
'type': 'company'}],
'attack_vector': ['unauthenticated upload', 'zero-day exploit'],
'date_detected': '2025-01-01',
'date_resolved': '2025-04-01',
'description': 'In late April, SAP fixed a severe bug in NetWeaver Visual '
'Composer Metadata Uploader, affecting over 1,200 instances. '
'Multiple ransomware operators, including BianLian and '
'RansomEXX, exploited this flaw. The bug allowed '
'unauthenticated actors to upload malicious executables. SAP '
'also patched a separate critical zero-day vulnerability in '
'NetWeaver server, tracked as CVE-2025-42999, with a severity '
'score of 9.1/10. Both vulnerabilities were abused in attacks '
'since January 2025.',
'impact': {'systems_affected': 'over 1,200 instances'},
'motivation': 'financial gain',
'ransomware': {'ransomware_strain': ['BianLian', 'RansomEXX']},
'threat_actor': ['BianLian', 'RansomEXX'],
'title': 'SAP NetWeaver Visual Composer Metadata Uploader Vulnerability',
'type': ['vulnerability', 'ransomware'],
'vulnerability_exploited': ['CVE-2025-42999']}