SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day.
The company issued security updates for this security flaw (CVE-2025-42999) on Monday, May 12, saying it was discovered while investigating zero-day attacks involving another unauthenticated file upload flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer that was fixed in April.
“SAP is aware of and has been addressing vulnerabilities in SAP NETWEAVER Visual Composer,” a SAP spokesperson told BleepingComputer. “We ask all customers using SAP NETWEAVER to install these patches to protect themselves. The Security Notes can be found here: 3594142 & 3604119.”
ReliaQuest first detected the attacks exploiting CVE-2025-31324 as a zero-day in April, reporting that threat actors were uploading JSP web shells to public directories and the Brute Ratel red team tool after breaching customers’ systems through unauthorized file uploads on SAP NetWeaver. The hacked instances were fully patched, indicating the attackers used a zero-day exploit.
This malicious activity was also confirmed by cybersecurity firms watchTowr and Onapsis, who also observed the attackers uploading web shell backdoors on unpatched instances exposed online. Forescout’s Vedere Labs has linked some of these attacks to a Chinese threat actor it tracks as Chaya_004.
Onyphe CTO Patrice Auffret told BleepingComputer in late April that “Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised,” adding that there were 1,284 vulnerable instances exposed online at the time, 474 already compromised.
The Shadowserver Foundation is now tracking over 2040 SAP Netweaver servers exposed on the Internet and vulnerable to attacks.
New flaw also exploited in zero-day attacks
While SAP did not confirm that CVE-2025-42999 was exploited in the wild, Onapsis CTO Juan Pablo Perez-Etchegoyen told BleepingComputer that the threat actors were chaining both vulnerabilities in attacks since January.
“The attacks we observed during March 2025 (that started with basic proves back in January 2025) are actually abusing both, the lack of authentication (CVE-2025-31324) as well as the insecure de-serialization (CVE-2025-42999),” Perez-Etchegoyen told BleepingComputer.
“This combination allowed attackers to execute arbitrary commands remotely and without any type of privileges on the system. This residual risk is basically a de-serialization vulnerability only exploitable by users with VisualComposerUser role on the SAP target system.”
SAP admins are advised to immediately patch their NetWeaver instances and consider disabling the Visual Composer service if possible, as well as restrict access to metadata uploader services and monitor for suspicious activity on their servers.
Since the attacks started, CISA has added the CVE-2025-31324 flaw to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to secure their systems by May 20, as mandated by Binding Operational Directive (BOD) 22-01.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
