Recent Exploit Targets SAP NetWeaver: What You Need to Know
Overview of the Exploit
An alarming new exploit has recently surfaced, affecting SAP NetWeaver and leveraging two critical security vulnerabilities that have been patched but were not without abuse in the wild. This exploit combines CVE-2025-31324 and CVE-2025-42999, both of which allow cybercriminals to bypass authentication measures and enable remote code execution.
Details of the Vulnerabilities
-
CVE-2025-31324: This vulnerability has a maximum CVSS score of 10.0, indicating its severity. It involves a lack of proper authorization checks in the Visual Composer development server within SAP NetWeaver.
- CVE-2025-42999: Scoring 9.1 on the CVSS scale, this vulnerability relates to insecure deserialization practices in the same development environment.
These security weaknesses were identified and addressed by SAP earlier this year, in April and May 2025, but not before they were exploited as zero-day vulnerabilities since at least March.
The Threat Landscape
A variety of ransomware groups, including Qilin, BianLian, and RansomExx, have been identified as actively weaponizing these flaws. In addition to these criminal organizations, several espionage groups linked to China have utilized these vulnerabilities to target critical infrastructure networks.
The initial discovery of this exploit was made public by vx-underground last week, which noted its dissemination by a coalition called Scattered Lapsus$ Hunters, born from alliances between Scattered Spider and ShinyHunters.
Implications of the Exploit
According to Onapsis, the security firm analyzing this situation, these vulnerabilities allow attackers without authentication credentials to execute arbitrary commands on compromised SAP systems. This capability raises significant concerns, as it can lead to complete takeovers of affected systems, compromising sensitive business data and operational processes.
Mechanism of the Attack
The exploit works in a two-step process:
-
Bypassing Authentication: The attacker utilizes CVE-2025-31324 to skip authentication hurdles and upload a malicious payload onto the server.
- Executing the Payload: Subsequently, the exploit leverages CVE-2025-42999 to unpack and execute the uploaded payload with elevated privileges. This exploitation can lead to critical security breaches, such as the deployment of web shells or conducting living-off-the-land (LotL) attacks, where commands are executed directly on the system without the presence of additional files.
Potential for Future Exploits
Onapsis has cautioned that the release of a deserialization gadget linked to these vulnerabilities poses additional threats. This gadget can potentially be repurposed for other exploitation efforts, especially against recently patched SAP vulnerabilities from July.
Recommendations for SAP Users
Given the sophistication of the attackers, who demonstrate a high level of knowledge regarding SAP applications, it is crucial for users of SAP systems to take proactive measures. Onapsis recommends the following actions:
-
Apply Updates: Ensure that the latest security patches are installed without delay. Neglecting updates can leave systems vulnerable.
-
Restrict Access: Review access controls for SAP applications, especially those exposed to the internet. Limiting visibility can reduce the risk of unauthorized access.
- Monitor Systems: Keep an eye on SAP applications for any unusual activities that may indicate a compromise. Regular monitoring can help in early detection and response to threats.
By taking these precautions, SAP users can bolster their defenses against the ever-evolving cyber threat landscape, ensuring their systems remain secure from exploitation efforts.
