Critical SAP NetWeaver Vulnerabilities Exploited: Authentication Bypass and Remote Code Execution Risks

TL;DR

Two critical vulnerabilities in SAP NetWeaver, tracked as CVE-2025-31324 (CVSS score: 10.0) and CVE-2025-42999 (CVSS score: 9.1), are being actively exploited by threat actors. These flaws enable authentication bypass and remote code execution (RCE), allowing attackers to fully compromise SAP systems, steal sensitive data, and disrupt operations. Organizations are urged to apply patches immediately to mitigate risks.

---

Introduction

In August 2025, cybersecurity researchers uncovered a highly dangerous exploit targeting SAP NetWeaver, a critical enterprise resource planning (ERP) system used by organizations worldwide. The exploit chains two severe vulnerabilities, CVE-2025-31324 and CVE-2025-42999, to bypass authentication and execute arbitrary code on vulnerable systems. With a maximum CVSS score of 10.0, these vulnerabilities pose a significant threat to organizations relying on SAP NetWeaver for their business operations.

This article explores the technical details of the vulnerabilities, their potential impact, and the steps organizations can take to protect their systems.

---

Understanding the Vulnerabilities

1. CVE-2025-31324: Missing Authorization Check

• CVSS Score: 10.0 (Critical)
• Affected Component: SAP NetWeaver’s Visual Composer Metadata Uploader
• Issue: A missing authorization check allows unauthenticated attackers to upload malicious executable files to the system.
• Impact: Attackers can execute arbitrary code on the host system, leading to a full compromise of the SAP environment.
• Patch Status: Addressed in SAP’s April 2025 Security Patch Day ¹.

2. CVE-2025-42999: Insecure Deserialization

• CVSS Score: 9.1 (Critical)
• Affected Component: SAP NetWeaver’s Visual Composer development server
• Issue: An insecure deserialization flaw enables privileged users to upload malicious content, compromising system confidentiality, integrity, and availability.
• Impact: Successful exploitation can lead to remote code execution (RCE) and system takeover.
• Patch Status: Added to CISA’s Known Exploited Vulnerabilities Catalog in May 2025 ².

---

Exploit Details: How Attackers Gain Full System Control

Exploit Chain

Threat actors are chaining CVE-2025-31324 and CVE-2025-42999 to achieve the following:

1. Bypass Authentication: Exploit the missing authorization check in CVE-2025-31324 to upload malicious files.
2. Execute Arbitrary Code: Use the insecure deserialization flaw in CVE-2025-42999 to execute malicious payloads with admin privileges.
3. Deploy Webshells: Gain persistent access to the system, allowing attackers to steal data, disrupt operations, or pivot to other systems.

Key Observations

• The exploit does not leave artifacts on the system, making detection challenging.
• The deserialization gadget used in this exploit can be reused to target other SAP applications, increasing the attack surface ³.
• The exploit has been actively observed in the wild, posing an immediate threat to unpatched systems.

---

Impact on Organizations

Potential Risks

• Data Theft: Attackers can exfiltrate sensitive business data, including financial records, customer information, and intellectual property.
• System Takeover: Full control over SAP systems enables attackers to disrupt operations, leading to financial losses and reputational damage.
• Regulatory Penalties: Failure to patch known vulnerabilities may result in non-compliance with data protection regulations (e.g., GDPR, CCPA).

Industries at Risk

• Manufacturing
• Finance
• Healthcare
• Retail
• Logistics

Organizations in these sectors must prioritize patching to avoid catastrophic breaches.

---

Mitigation Strategies

1. Apply SAP Security Patches

• Immediately install the patches released in April 2025 for CVE-2025-31324 and May 2025 for CVE-2025-42999.
• Follow SAP’s Security Notes for guidance.

2. Monitor for Suspicious Activity

• Use SAP-specific security tools to detect unauthorized file uploads and malicious code execution.
• Implement network segmentation to limit lateral movement.

3. Conduct Regular Security Audits

• Perform vulnerability assessments to identify unpatched systems.
• Use open-source scanners provided by Onapsis to check for exposure.

4. Educate Employees

• Train staff on recognizing phishing attempts and reporting suspicious activity.
• Ensure IT teams are aware of the latest SAP vulnerabilities and exploits.

---

Expert Insights

“The publication of this deserialization gadget is particularly concerning because it can be reused in other contexts, such as exploiting the deserialization vulnerabilities patched by SAP in July 2025. This opens up new attack vectors in other areas of SAP applications, making it a powerful tool in an attacker’s arsenal.” — Onapsis ³

“Organizations should ensure these SAP vulnerabilities are promptly patched in their environments. The active exploitation of these flaws makes them a clear and present danger.” — U.S. Cybersecurity and Infrastructure Security Agency (CISA) ²

---

Conclusion

The exploitation of CVE-2025-31324 and CVE-2025-42999 in SAP NetWeaver highlights the critical importance of proactive cybersecurity measures. Organizations must act swiftly to apply patches, monitor for suspicious activity, and strengthen their defenses against evolving threats. Failure to do so could result in devastating data breaches, financial losses, and operational disruptions.

As cybercriminals continue to refine their tactics, staying ahead of vulnerabilities is not just a best practice—it’s a business imperative.

---

Additional Resources

For further insights, check:

• SAP Security Patch Day – April 2025
• CISA’s Known Exploited Vulnerabilities Catalog
• Onapsis Blog: New Exploit for CVE-2025-31324
• Onapsis GitHub: Open-Source Scanners

---

References

1. SAP. (2025, April). “April 2025 Security Patch Day”. SAP Support. Retrieved 2025-08-20. ↩︎

2. U.S. Cybersecurity and Infrastructure Security Agency (CISA). (2025, May). “Known Exploited Vulnerabilities Catalog”. CISA. Retrieved 2025-08-20. ↩︎ ↩︎²

3. Onapsis. (2025, August). “New Exploit for CVE-2025-31324”. Onapsis Blog. Retrieved 2025-08-20. ↩︎ ↩︎²