No Comments

New SAP NetWeaver Exploit Chains Two Critical CVEs for Remote Code Execution

 

New Exploits

A new exploit has emerged in the wild, combining two critical, now-patched security flaws in SAP NetWeaver, which puts organizations at risk of system compromise and data theft.

This exploit chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution, according to SAP security company Onapsis.

  • CVE-2025-31324 (CVSS score: 10.0): Missing Authorization check in SAP NetWeaver’s Visual Composer development server
  • CVE-2025-42999 (CVSS score: 9.1): Insecure Deserialization in SAP NetWeaver’s Visual Composer development server

SAP addressed these vulnerabilities back in April and May 2025; however, threat actors abused them as zero-days since at least March.

Ransomware Gangs Involved

Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have weaponized these flaws. Additionally, several China-nexus espionage crews have also exploited them in attacks targeting critical infrastructure networks.

The existence of the exploit first came to light last week when vx-underground reported it, stating that Scattered Lapsus$ Hunters, a new fluid alliance formed by Scattered Spider and ShinyHunters, released it.

Onapsis stated, “These vulnerabilities allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files.” This situation can lead to remote code execution (RCE) and a complete takeover of the affected system, along with SAP business data and processes.

The company added that the exploit can not only deploy web shells but also weaponize living-off-the-land (LotL) attacks by directly executing operating system commands without dropping additional artifacts on the compromised system. These commands run with SAP administrator privileges, granting bad actors unauthorized access to SAP data and system resources.

Specifically, the attack chain first uses CVE-2025-31324 to sidestep authentication and upload the malicious payload to the server. Then, the deserialization vulnerability (CVE-2025-42999) is exploited to unpack the payload and execute it with elevated permissions.

Onapsis warned, “The publication of this deserialization gadget is particularly concerning because it can be reused in other contexts, such as exploiting the deserialization vulnerabilities that SAP recently patched in July.”

This includes:

Describing the threat actors as having extensive knowledge of SAP applications, the company urges SAP users to apply the latest fixes as soon as possible, review and restrict access to SAP applications from the internet, and monitor SAP applications for any signs of compromise.

 


Source: TheHackerNews

Read more at Impreza News

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.