A newly discovered exploit combining two critical vulnerabilities in SAP NetWeaver has surfaced, posing significant risks to organizations that have not yet applied the necessary patches. This exploit enables unauthenticated attackers to bypass authentication mechanisms and execute arbitrary code remotely, potentially leading to full system compromise and data exfiltration.
Understanding the Vulnerabilities
The exploit leverages two specific vulnerabilities:
1. CVE-2025-31324: This vulnerability involves a missing authorization check in SAP NetWeaver’s Visual Composer development server, allowing unauthorized access to certain functionalities.
2. CVE-2025-42999: This flaw pertains to insecure deserialization within the same component, which can be exploited to execute arbitrary code.
Both vulnerabilities were addressed by SAP in April and May 2025. However, evidence indicates that threat actors had been exploiting these flaws as zero-day vulnerabilities since at least March 2025.
Exploitation in the Wild
Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been observed weaponizing these vulnerabilities. Additionally, several China-linked espionage groups have utilized these flaws to target critical infrastructure networks.
The exploit was first reported by vx-underground, which noted its release by a new alliance known as Scattered Lapsus$ Hunters, formed by the collaboration of Scattered Spider and ShinyHunters.
Technical Details of the Exploit
The attack sequence begins with the exploitation of CVE-2025-31324 to bypass authentication and upload a malicious payload to the server. Subsequently, CVE-2025-42999 is exploited to deserialize and execute the payload with elevated privileges.
This method allows attackers to deploy web shells and conduct living-off-the-land (LotL) attacks by executing operating system commands directly, without the need to introduce additional artifacts. These commands run with SAP administrator privileges, granting unauthorized access to SAP data and system resources.
Broader Implications
The publication of this deserialization exploit is particularly concerning because it can be adapted to exploit other vulnerabilities recently patched by SAP in July 2025, including:
– CVE-2025-30012: A critical vulnerability with a CVSS score of 10.0.
– CVE-2025-42963: A high-severity vulnerability with a CVSS score of 9.1.
– CVE-2025-42964: Another high-severity vulnerability with a CVSS score of 9.1.
– CVE-2025-42966: A high-severity vulnerability with a CVSS score of 9.1.
– CVE-2025-42980: A high-severity vulnerability with a CVSS score of 9.1.
These vulnerabilities, if exploited, could lead to unauthorized access and control over SAP systems, emphasizing the need for immediate action.
Recommendations for SAP Users
Given the sophisticated knowledge threat actors have of SAP applications, it is imperative for organizations to:
1. Apply the Latest Patches: Ensure that all SAP systems are updated with the latest security patches to mitigate known vulnerabilities.
2. Restrict Internet Access: Review and limit access to SAP applications from the internet to reduce exposure to potential attacks.
3. Monitor for Compromise: Implement continuous monitoring of SAP applications to detect any signs of unauthorized access or compromise.
By taking these proactive measures, organizations can significantly reduce the risk posed by these vulnerabilities and protect their critical systems and data.
