Exploit Weaponizes SAP NetWeaver Bugs for Full System Compromise
A new exploit chaining two vulnerabilities, tracked as CVE-2025-31324 and CVE-2025-42999, in SAP NetWeaver has exposed organizations to the risk of system compromise and data theft. These critical flaws allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files, leading to remote code execution (RCE) and a complete takeover of the affected system and SAP business data and processes.
CVE-2025-31324: Missing Authorization Check in NetWeaver Visual Composer Development Server
The vulnerability CVE-2025-31324 has a CVSS score of 10.0, making it one of the most severe security flaws ever discovered. The flaw in NetWeaver Visual Composer Metadata Uploader stems from a lack of proper authorization checks. This means that unauthenticated attackers, those without valid credentials, can exploit it to upload malicious executable files to the system.
Once uploaded, these files can be executed on the host system, potentially leading to a full compromise of the targeted SAP environment. SAP addressed the flaw with the release of the April 2025 Security Patch Day.
CVE-2025-42999: Insecure Deserialization in SAP NetWeaver’s Visual Composer Development Server
The vulnerability CVE-2025-42999 has a CVSS score of 9.1 and allows privileged users to upload malicious content, risking system confidentiality, integrity, and availability.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog in May 2025.
The Exploit: Weaponizing SAP Zero-Day Flaw
A new exploit for the SAP zero-day exploit CVE-2025-31324 has been published on X by VX Underground. The exploit, which was reportedly created by "Scattered LAPSUS$ Hunters – ShinyHunters" on a Telegram group, is fully weaponized and can be used to bypass authentication and execute malicious code with admin privileges.
The researchers pointed out that the exploit doesn’t leave artifacts on the system, making it difficult to track and detect. This potentially opens up new attack vectors in other areas of SAP applications.
Consequences and Recommendations
Organizations should ensure these SAP vulnerabilities have been promptly patched in their environments. The publication of this deserialization gadget is particularly concerning due to the fact that it can be reused in other contexts, such as exploiting the deserialization vulnerabilities that were recently patched by SAP in July.
The researchers from Onapsis and Mandiant published open-source scanners for CVE-2025-31324 and CVE-2025-42999 on its GitHub page. It is essential to keep your SAP systems up-to-date with the latest security patches and to monitor your systems for any signs of suspicious activity.
Stay Safe from SAP Exploits
Follow the latest updates and alerts from reputable sources, such as CISA and Onapsis. Stay informed about the latest SAP exploits and patching requirements to protect your organization's data and systems from potential threats.
Remember, proactive security measures are crucial in preventing system compromise and data theft. Keep your SAP systems secure and stay vigilant against emerging threats.