Understanding the Critical SAP NetWeaver Vulnerabilities and Their Impact

SAP NetWeaver, a vital component in many enterprise environments, is currently facing significant security challenges due to severe vulnerabilities. The most concerning of these is CVE-2025-31324, a flaw that lacks proper authorization checks, allowing unauthorized file uploads that could lead to remote code execution. This vulnerability has been actively exploited, as highlighted by Onapsis, and carries a maximum CVSS score of 10.0, underscoring its critical nature (Cybersecurity News). Another significant vulnerability, CVE-2025-42999, involves insecure de-serialization, which, when combined with CVE-2025-31324, enables attackers to execute arbitrary commands (Bleeping Computer). These vulnerabilities have been exploited in the wild, posing a substantial threat to organizations relying on SAP systems.

Exploitation of SAP NetWeaver Vulnerabilities

Overview of Recent Vulnerabilities

In recent months, SAP NetWeaver has been the target of significant cyber threats due to vulnerabilities that have been actively exploited by threat actors. The most critical of these vulnerabilities is CVE-2025-31324, which has been identified as a “Missing Authorization check in SAP NetWeaver (Visual Composer development server).” This flaw allows unauthenticated users to upload malicious files, leading to potential remote code execution (Onapsis). The vulnerability carries a maximum CVSS score of 10.0, highlighting its severity (Cybersecurity News).

Another vulnerability, CVE-2025-42999, involves insecure de-serialization, which, when combined with CVE-2025-31324, allows attackers to execute arbitrary commands without privileges (Bleeping Computer). These vulnerabilities have been exploited in the wild, with threat actors using them to gain unauthorized access to SAP systems.

Methods of Exploitation

The exploitation of these vulnerabilities has been primarily through unauthorized file uploads. Threat actors have been observed uploading JSP web shells to public directories, thereby gaining persistent access to compromised systems (Bleeping Computer). The Brute Ratel red team tool has also been used post-exploitation to further compromise systems.

The exploitation process often begins with the upload of a malicious file, which is then executed to establish a backdoor on the system. This allows attackers to perform various malicious activities, such as data exfiltration, lateral movement within the network, and further exploitation of other vulnerabilities.

Impact on Organizations

The impact of these vulnerabilities on organizations has been significant. According to Onapsis, multiple Fortune 500 and Global 500 companies have been affected, with at least 1,284 vulnerable instances exposed online, and 474 already compromised (Bleeping Computer). The widespread exploitation has affected critical industries, with SAP’s extensive presence in government and enterprise systems exacerbating the issue (CyberScoop).

The Shadowserver Foundation has reported over 2,040 SAP NetWeaver servers exposed on the Internet and vulnerable to attacks (Bleeping Computer). This widespread exposure increases the risk of further exploitation and highlights the urgent need for organizations to secure their systems.

Attribution to Threat Actors

The exploitation of these vulnerabilities has been linked to a Chinese threat actor tracked as Chaya_004 by Forescout’s Vedere Labs (Bleeping Computer). This group has been observed targeting Internet-facing SAP applications, leveraging the vulnerabilities to gain unauthorized access and establish persistence on compromised systems.

The involvement of advanced threat actors in the exploitation of these vulnerabilities underscores the sophistication of the attacks and the need for robust security measures to protect against such threats.

Mitigation and Response

To mitigate the risks associated with these vulnerabilities, SAP has released out-of-band patches and updated security notes to address the issues (Tenable). Organizations are strongly encouraged to apply these patches immediately to secure their systems against exploitation.

Additionally, SAP administrators are advised to disable the Visual Composer service if possible, restrict access to metadata uploader services, and monitor for suspicious activity on their servers (Bleeping Computer). These measures can help reduce the attack surface and prevent unauthorized access.

The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to secure their systems by May 20, 2025, as mandated by Binding Operational Directive (BOD) 22-01 (Bleeping Computer). This directive highlights the critical nature of these vulnerabilities and the need for immediate action to protect against exploitation.

Future Outlook

The exploitation of SAP NetWeaver vulnerabilities is likely to continue as threat actors seek to take advantage of unpatched systems. The widespread impact and severity of these vulnerabilities underscore the importance of timely patching and proactive security measures to protect against future attacks.

Organizations must remain vigilant and continuously monitor their systems for signs of compromise. Implementing robust security practices, such as regular vulnerability assessments, network segmentation, and incident response planning, can help mitigate the risks associated with these and other vulnerabilities.

As the threat landscape evolves, collaboration between organizations, security researchers, and government agencies will be crucial in identifying and addressing emerging threats. By sharing information and best practices, the cybersecurity community can work together to enhance the security of critical systems and protect against exploitation.

Final Thoughts

The ongoing exploitation of SAP NetWeaver vulnerabilities underscores the critical need for organizations to prioritize cybersecurity measures. With over 2,040 SAP NetWeaver servers exposed online, the risk of further attacks remains high (Bleeping Computer). The involvement of sophisticated threat actors, such as the Chinese group Chaya_004, highlights the complexity and persistence of these threats (Bleeping Computer). Organizations must act swiftly to apply patches and implement robust security practices to mitigate these risks. Collaboration between companies, security researchers, and government agencies will be essential in combating these threats and securing critical systems for the future.

References

• Onapsis. (2025). Active exploitation of SAP vulnerability CVE-2025-31324. https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
• Cybersecurity News. (2025). CISA adds SAP 0-day flaw. https://cybersecuritynews.com/cisa-adds-sap-0-day-flaw/
• Bleeping Computer. (2025). SAP patches second zero-day flaw exploited in recent attacks. https://www.bleepingcomputer.com/news/security/sap-patches-second-zero-day-flaw-exploited-in-recent-attacks/
• CyberScoop. (2025). SAP NetWeaver zero-day exploit CVE-2025-31324. https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/
• Tenable. (2025). CVE-2025-31324 zero-day vulnerability in SAP NetWeaver exploited in the wild. https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild