SAP has released critical patches to address a recently discovered vulnerability affecting SAP NetWeaver servers, which has been exploited as a zero-day threat.
On May 12, the company announced security updates for the security flaw identified as CVE-2025-42999. This vulnerability was uncovered while investigating previously reported zero-day attacks involving another unauthenticated file upload vulnerability—CVE-2025-31324—in SAP NetWeaver Visual Composer, which was patched in April.
An SAP spokesperson confirmed to BleepingComputer, “SAP is aware of and actively addressing vulnerabilities in SAP NetWeaver Visual Composer. We urge all customers using SAP NetWeaver to install these patches for their protection. The Security Notes can be accessed here: 3594142 & 3604119.”
Attack Vector and Exploitation Details
ReliaQuest initially identified the exploitation of CVE-2025-31324 as a zero-day in April. It was reported that threat actors were uploading JSP web shells to public directories using the Brute Ratel red team tool after gaining unauthorized access through file uploads on SAP NetWeaver. Notably, the compromised instances were fully patched, indicating the use of an advanced zero-day exploit.
Cybersecurity firms watchTowr and Onapsis confirmed this malicious activity, observing attackers deploying web shell backdoors on unpatched instances accessible online. Forescout’s Vedere Labs has linked some of these attacks to a Chinese threat actor identified as Chaya_004.
Patrice Auffret, CTO at Onyphe, highlighted in late April the extent of the vulnerability, stating that “approximately 20 Fortune 500/Global 500 companies are at risk, with many already compromised.” At the time, Over 1,284 vulnerable instances were exposed online, with 474 already compromised.
Shadowserver Foundation is currently monitoring over 2,040 SAP NetWeaver servers that remain exposed on the internet and vulnerable to these ongoing attacks.
Exploitation of New Vulnerability
While SAP has not officially confirmed that CVE-2025-42999 has been exploited, Onapsis CTO Juan Pablo Perez-Etchegoyen reported that attackers have been chaining both vulnerabilities in their operations since January.
"The attacks observed in March 2025, which started developing back in January 2025, utilize both the lack of authentication (CVE-2025-31324) and the insecure deserialization vulnerability (CVE-2025-42999)," Perez-Etchegoyen explained. “This exploitation method allows attackers to execute arbitrary commands remotely without any system privileges.”
SAP administrators are strongly advised to immediately patch their NetWeaver instances and consider disabling the Visual Composer service. Additionally, restricting access to metadata uploader services and closely monitoring server activity is recommended.
Federal Response and Risk Mitigation
Following the surge in attacks, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2025-31324 vulnerability to its Known Exploited Vulnerabilities Catalog and mandated federal agencies secure their systems by May 20, per Binding Operational Directive (BOD) 22-01.
CISA warned, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."
Conclusion
As cyber threats continue to evolve, organizations must prioritize patch management and vulnerability assessments to effectively mitigate risks. By adhering to best practices in cybersecurity, firms can safeguard their systems against increasingly sophisticated attacks and maintain the integrity of their digital infrastructure.
For ongoing updates and further information, organizations should remain vigilant and refer to security advisories from SAP and cybersecurity agencies.