Exploit chaining CVE-2025-31324 & CVE-2025-42999 in SAP NetWeaver enables auth bypass and RCE, risking compromise and data theft.
A new exploit chaining two vulnerabilities, tracked as CVE-2025-31324 and CVE-2025-42999, in SAP NetWeaver exposes organizations to the risk of system compromise and data theft.
CVE-2025-31324 (CVSS score: 10.0) is a missing authorization check in NetWeaver’s Visual Composer development server. The flaw in NetWeaver Visual Composer Metadata Uploader stems from a lack of proper authorization checks. This means that unauthenticated attackers, those without valid credentials, can exploit it to upload malicious executable files to the system.
Once uploaded, these files can be executed on the host system, potentially leading to a full compromise of the targeted SAP environment. SAP addressed the flaw with the release of the April 2025 Security Patch Day.
CVE-2025-42999 (CVSS score: 9.1) is an insecure deserialization in SAP NetWeaver’s Visual Composer development server. The flaw allows privileged users to upload malicious content, risking system confidentiality, integrity, and availability. U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog in May 2025.
VX Underground published on X the exploit for the SAP zero-day exploit CVE-2025-31324, which was by “Scattered LAPSUS$ Hunters – ShinyHunters” on a Telegram group.
“Tracked as CVE-2025-31324 and exploited in combination with CVE-2025-42999, the initial vulnerabilities are a combination of two critical flaws in SAP NetWeaver Visual Composer with a CVSS score of 10.0, the highest possible severity rating. These vulnerabilities allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files. This can lead to remote code execution (RCE) and a complete takeover of the affected system and SAP business data and processes.” reads the analysis published by cybersecurity firm Onapsis. “The vulnerability has been actively exploited in the wild, making it a clear and present danger to organizations with unpatched SAP systems.”
The exploit chains CVE-2025-31324 and CVE-2025-42999 to bypass authentication and execute malicious code with admin privileges, enabling attackers to run OS commands, deploy webshells, and gain full access to data and resources. The researchers pointed out that the exploit doesn’t leave artifacts on the system.
“The publication of this deserialization gadget is particularly concerning due to the fact that it can be reused in other contexts, such as exploiting the deserialization vulnerabilities that were recently patched by SAP in July, which were discovered and reported by Onapsis (July 2025 SAP Patch Day: Record Patches & Critical Deserialization Vulnerabilities):
- Security Note 3578900 for CVE-2025-30012 (CVSS 10)
- Security Note 3620498 for CVE-2025-42980 (CVSS 9.1)
- Security Note 3610892 for CVE-2025-42966 (CVSS 9.1)
- Security Note 3621771 for CVE-2025-42963 (CVSS 9.1)
- Security Note 3621236 for CVE-2025-42964 (CVSS 9.1)
This potentially opens up new attack vectors in other areas of SAP applications. It’s a powerful tool in an attacker’s arsenal, and its publication in the wild is a significant event.” continues Onapsis.”Organizations should ensure these SAP vulnerabilities have been also promptly patched in their environments.”
Onapsis, in collaboration with Mandiant, published open-source scanners for CVE-2025-31324 and CVE-2025-42999 on its GitHub page.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, exploit)
