A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft.
The exploit in question chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution, SAP security company Onapsis said.
- CVE-2025-31324 (CVSS score: 10.0) - Missing Authorization check in SAP NetWeaver's Visual Composer development server
- CVE-2025-42999 (CVSS score: 9.1) - Insecure Deserialization in SAP NetWeaver's Visual Composer development server
The vulnerabilities were addressed by SAP back in April and May 2025, but not before they were abused by threat actors as zero-days since at least March.
Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been observed weaponizing the flaws, not to mention several China-nexus espionage crews who have also put them to use in attacks targeting critical infrastructure networks.
The existence of the exploit was first reported last week by vx-underground, which said it was released by Scattered Lapsus$ Hunters, a new fluid alliance formed by Scattered Spider and ShinyHunters.
"These vulnerabilities allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files," Onapsis said. "This can lead to remote code execution (RCE) and a complete takeover of the affected system and SAP business data and processes."
The exploit, the company added, cannot only be used to deploy web shells, but also be weaponized to conduct living-off-the-land (LotL) attacks by directly executing operating system commands without having to drop additional artifacts on the compromised system. These commands are run with SAP administrator privileges, granting bad actors unauthorized access to SAP data and system resources.
Specifically, the attack chain first uses CVE-2025-31324 to sidestep authentication and upload the malicious payload to the server. The deserialization vulnerability (CVE-2025-42999) is then exploited to unpack the payload and execute it with elevated permissions.
"The publication of this deserialization gadget is particularly concerning due to the fact that it can be reused in other contexts, such as exploiting the deserialization vulnerabilities that were recently patched by SAP in July," Onapsis warned.
This includes -
- CVE-2025-30012 (CVSS score: 10.0)
- CVE-2025-42963 (CVSS score: 9.1)
- CVE-2025-42964 (CVSS score: 9.1)
- CVE-2025-42966 (CVSS score: 9.1)
- CVE-2025-42980 (CVSS score: 9.1)
Describing the threat actors as having extensive knowledge of SAP applications, the company is urging SAP users to apply the latest fixes as soon as possible, review and restrict access to SAP applications from the internet, and monitor SAP applications for any signs of compromise.
