SAP NetWeaver Vulnerability Attracts Hackers

Each week, the Information Security Media Group compiles significant cybersecurity incidents and data breaches worldwide. This week, a severe flaw in SAP NetWeaver has attracted ransomware gangs, multiple zero-day vulnerabilities have been detected in Ivanti Endpoint Manager Mobile, and credentials belonging to a DOGE employee were found in infostealer logs. Additionally, Nucor has suspended operations due to a cyber incident, while North Korean hackers have targeted South Korean individuals with fake invitations, and Microsoft has reported the release of 72 security patches.

In-Depth: SAP NetWeaver Vulnerability Exploited

Attacks have escalated against SAP NetWeaver servers as ransomware groups RansomEXX and BianLian exploit a critical vulnerability identified as CVE-2025-31324. This flaw permits unauthenticated remote code execution, compromising entire systems without requiring credentials. SAP responded swiftly, issuing emergency patches following reports from cybersecurity firm ReliaQuest regarding ongoing exploitation.

ReliaQuest indicated that attackers utilized the PipeMagic backdoor in connection with the Windows CLFS vulnerability during one incident. Additionally, Chinese state-sponsored groups are also found to be exploiting this vulnerability, with Forescout linking attacks to the group known as Chaya_004, which targets numerous SAP systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized CVE-2025-31324 as a Known Exploited Vulnerability, mandating U.S. federal agencies to apply relevant patches by May 20 to mitigate possible risks.

Ivanti Endpoint Manager Suffers Zero-Day Flaws

Ivanti, a company specializing in edge device solutions, disclosed that hackers are leveraging two zero-day vulnerabilities within its Endpoint Manager Mobile platform. These flaws facilitate unauthorized access and remote code execution. Despite the limited reports of exploitation, Ivanti took measures to patch the vulnerabilities identified as CVE-2025-4427 and CVE-2025-4428.

Security experts have raised concerns over the potential that these vulnerabilities could exacerbate, particularly given the patterns observed in the exploitation of Ivanti’s products in recent years. Researchers note that one of these vulnerabilities permits remote attackers to access normally secured API endpoints, allowing for further exploitation.

Credential Breach at DOGE

Micah Lee, an activist coder, found compromised data from DOGE employee Kyle Schutt among multiple infostealer logs. Schutt’s credentials, associated with federal roles and projects, appeared in significant data dumps, raising alarms about potential unauthorized access. The specifics regarding when these credentials were compromised remain unclear; however, Lee advises against utilizing personal devices for governmental work.

Nucor Casts a Wide Net Post-Cyberattack

Nucor Corporation, North America’s leading steel manufacturer, has temporarily ceased operations at select facilities following an undisclosed cybersecurity incident. The company mobilized its incident response strategies, isolating vulnerable systems to facilitate recovery efforts. Details regarding which sites were impacted remain confidential.

Targeted Cyber Espionage by APT37

The North Korean cyber group APT37, also known as ScarCruft, has employed spear-phishing tactics to ensnare South Korean individuals with malware disguised as official conference invites. Specific LNK files served as delivery mechanisms for the RoKRAT malware, which is capable of capturing sensitive data and monitoring system activities. Researchers highlight continued usage of common cloud services for command-and-control operations, which is a concern for organizations with inadequate security measures in place.

Kremlin Hackers Exploit Vulnerable Webmail Systems

Russian state-sponsored hackers have been targeting webmail servers used by Ukrainian government agencies, employing cross-site scripting vulnerabilities to facilitate unauthorized access and espionage. Security firm ESET noted a trend of attacks exploiting known vulnerabilities, revealing a crucial zero-day exploit in the MDaemon software that further complicates the security landscape for essential communication systems.

Microsoft’s Comprehensive May Patch Update

In its latest Patch Tuesday, Microsoft addressed 72 vulnerabilities, including five zero-day exploits. The updates, which span critical issues involving remote code execution and privilege escalation, underscore the importance of regular system maintenance and vigilance against emerging threats. Among these fixes, a troubling flaw in the Windows DWM Core Library has attracted particular attention, with the potential to significantly elevate an attacker’s privileges.

With contributions from Information Security Media Group’s team across different regions, the ongoing dialogue around cybersecurity, including threats and mitigation strategies, remains crucial for organizations committed to securing their digital assets.