Dozens of SAP NetWeaver situations are prone to compromise after a risk actor launched a brand new working exploit that chains two critical-severity vulnerabilities for code execution.
The issues, tracked as CVE-2025-31324 (CVSS rating of 10) and CVE-2025-42999 (CVSS rating of 9.1), are described as a lacking authorization examine problem and an insecure deserialization bug, and had been resolved with safety notes launched in April and Might, respectively.
Each safety defects had been exploited within the wild earlier than fixes had been rolled out for them, for the deployment of internet shells and distant command execution. Ransomware teams corresponding to BianLian and RansomEXX, and Chinese language APTs had been seen focusing on them.
On Friday, risk intelligence and analysis venture Vx-Underground warned that somebody apparently linked to the Scattered Spider cybercrime group launched on Telegram a brand new – allegedly zero-day – exploit focusing on SAP NetWeaver situations.
After analyzing the exploit, enterprise software safety agency Onapsis concluded that it was truly constructed to chain the recognized flaws CVE-2025-31324 and CVE-2025-42999 for the execution of arbitrary system instructions with administrator privileges.
“In essence, the attackers first use the lacking authentication vulnerability (CVE-2025-31324) to entry the vital performance with out authentication and get their malicious payload to the server. Then, they exploit the de-serialization flaw (CVE-2025-42999) to deserialize the malicious payload and execute that code with the privileges of the SAP system,” Onapsis explains.
The safety agency warns that the deserialization gadget on this exploit may very well be reused in different contexts, such because the exploitation of deserialization flaws that SAP patched in July.
“This doubtlessly opens up new assault vectors in different areas of SAP purposes. It’s a strong software in an attacker’s arsenal, and its publication within the wild is a big occasion. Organizations ought to guarantee these SAP vulnerabilities have been additionally promptly patched of their environments,” Onapsis notes.Commercial. Scroll to proceed studying.
Whereas the exploit doesn’t goal new SAP vulnerabilities, NetWeaver situations that haven’t been patched towards CVE-2025-31324 and CVE-2025-42999 are uncovered to a recent wave of assaults.
In line with information from The Shadowserver Basis, over 50 NetWeaver servers had been nonetheless weak to CVE-2025-31324 as of August 18. The quantity is considerably decrease in comparison with the 400 weak situations noticed on the finish of April.
Associated: SAP Patches Essential S/4HANA Vulnerability
Associated: A whole bunch of N-able N-central Situations Affected by Exploited Vulnerabilities
Associated: OT Networks Focused in Widespread Exploitation of Erlang/OTP Vulnerability
Associated: Vulnerabilities in Xerox Print Orchestration Product Enable Distant Code Execution
