SAP Addresses Second Zero-Day Vulnerability Targeted in Recent Attack Campaigns

SAP has released critical security patches to address a second vulnerability that has been exploited in recent attacks targeting SAP NetWeaver servers. The new vulnerability, identified as CVE-2025-42999, was discovered during the investigation of previously reported zero-day attacks involving another flaw, CVE-2025-31324, which permits unauthorized file uploads in SAP NetWeaver Visual Composer and was patched in April.

A spokesperson from SAP emphasized the importance of these updates, urging all customers utilizing SAP NetWeaver to implement the patches to enhance their security posture. Detailed security notes are available for customer reference.

The first indications of exploitation for CVE-2025-31324 were identified by cybersecurity firm ReliaQuest in April. During their analysis, threat actors were seen uploading JSP web shells onto public directories and utilizing the Brute Ratel red team tool after infiltrating client systems via unauthorized file uploads. Notably, compromised systems had already been patched, highlighting the attackers’ use of a zero-day exploit.

This malicious activity has been corroborated by other cybersecurity firms, including watchTowr and Onapsis, which confirmed that attackers were deploying web shell backdoors on vulnerable instances. Forescout’s Vedere Labs connected several of these intrusions to a known Chinese threat actor tracked as Chaya_004.

According to Onyphe’s Chief Technology Officer, a substantial number of Fortune 500 and Global 500 companies remain vulnerable, with early estimates suggesting that approximately 1,284 instances were exposed online, of which about 474 were already compromised.

Presently, the Shadowserver Foundation is monitoring over 2,040 SAP NetWeaver servers exposed on the internet and at risk of similar attacks.

Exploitation of the New Vulnerability

While SAP has not publicly confirmed that CVE-2025-42999 has been actively exploited, Onapsis’ CTO indicated that attackers have been leveraging both vulnerabilities in their operations since January. The combined exploitation of the lack of authentication (CVE-2025-31324) and the insecure de-serialization (CVE-2025-42999) has enabled attackers to execute arbitrary commands remotely without requiring any user privileges.

SAP administrators are strongly advised to immediately apply the relevant patches to their NetWeaver instances, consider disabling the Visual Composer service where feasible, restrict access to metadata uploader services, and closely monitor their servers for any signs of suspicious activities.

In response to the ongoing threats, CISA has officially added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, urging federal agencies to secure their systems by a specified deadline to mitigate risks posed by these vulnerabilities. CISA underscored the frequent exploitation of such vulnerabilities by malicious actors and the significant risks they pose to organizational cybersecurity frameworks.