SAP has launched patches to handle a second vulnerability exploited in current assaults focusing on SAP NetWeaver servers as a zero-day.
The corporate issued safety updates for this safety flaw (CVE-2025-42999) on Monday, Could 12, saying it was found whereas investigating zero-day assaults involving one other unauthenticated file add flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visible Composer that was mounted in April.
“SAP is conscious of and has been addressing vulnerabilities in SAP NETWEAVER Visible Composer,” a SAP spokesperson advised BleepingComputer. “We ask all prospects utilizing SAP NETWEAVER to put in these patches to guard themselves. The Safety Notes will be discovered right here: 3594142 & 3604119.”
Bindiast first detected the assaults exploiting CVE-2025-31324 as a zero-day in April, reporting that menace actors have been importing JSP net shells to public directories and the Brute Ratel purple staff device after breaching prospects’ programs via unauthorized file uploads on SAP NetWeaver. The hacked cases have been totally patched, indicating the attackers used a zero-day exploit.
This malicious exercise was additionally confirmed by cybersecurity corporations watchTowr and Onapsiswho additionally noticed the attackers importing net shell backdoors on unpatched cases uncovered on-line. Forescout’s Vedere Labs has linked a few of these assaults to a Chinese language menace actor it tracks as Chaya_004.
Onyphe CTO Patrice Auffret advised BleepingComputer in late April that “One thing like 20 Fortune 500/International 500 corporations are susceptible, and plenty of of them are compromised,” including that there have been 1,284 susceptible cases uncovered on-line on the time, 474 already compromised.
The Shadowserver Basis is now monitoring over 2040 SAP Netweaver servers uncovered on the Web and susceptible to assaults.
Weak SAP NetWeaver servers uncovered on-line (Shadowserver Basis)
New flaw additionally exploited in zero-day assaults
Whereas SAP didn’t affirm that CVE-2025-42999 was exploited within the wild, Onapsis CTO Juan Pablo Perez-Etchegoyen advised BleepingComputer that the menace actors have been chaining each vulnerabilities in assaults since January.
“The assaults we noticed throughout March 2025 (that began with fundamental proves again in January 2025) are literally abusing each, the dearth of authentication (CVE-2025-31324) in addition to the insecure de-serialization (CVE-2025-42999),” Perez-Etchegoyen advised BleepingComputer.
“This mix allowed attackers to execute arbitrary instructions remotely and with none kind of privileges on the system. This residual threat is mainly a de-serialization vulnerability solely exploitable by customers with VisualComposerUser position on the SAP goal system.”
SAP admins are suggested to instantly patch their NetWeaver cases and think about disabling the Visible Composer service if doable, in addition to prohibit entry to metadata uploader companies and monitor for suspicious exercise on their servers.
For the reason that assaults began, CISA has added the CVE-2025-31324 flaw to its Identified Exploited Vulnerabilities Catalogordering federal businesses to safe their programs by Could 20, as mandated by Binding Operational Directive (BOD) 22-01.
“All these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” CISA warned.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend in opposition to them.
