A new exploit combines two important, currently patched security flaws from SAP NetWeaver, emerging in the wild, with organizations taking the risk of system compromise and data theft.
The exploit in question would chain CVE-2025-31324 and CVE-2025-42999 together to bypass authentication and enable remote code execution, SAP security company Onapsis said.
CVE-2025-31324 (CVSS score: 10.0) – Missing authorization check for Visual Composer Development Server CVE-2025-42999 (CVSS score: 9.1) for SAP NetWeaver
The vulnerability was addressed by SAP in April and May 2025, but not before being abused as zero-day by threat actors at least since March.
Several ransomware and data terr groups, including Qilin, Bianlian and Ransomexx, have been observed to weaponize flaws, not to mention Chinese and Nexus spyers who also use them in attacks targeting critical infrastructure networks.
The existence of exploits was first reported last week by VX-Underground. It said it was released by the scattered Lapsus $Hunters, a new fluid alliance formed by scattered spiders and Shiny Hunters.
“These vulnerabilities allow uncertified attackers to execute arbitrary commands on the target SAP system, including uploading any file,” Onapsis said. “This could lead to remote code execution (RCE) and complete acquisition of business data and processes for affected systems and SAP.”
According to the company, exploits can not only be used for web shell deployments, but can also be weaponized to carry out stay (LOTL) attacks by directly executing operating system commands without dropping additional artifacts on compromised systems. These commands are run with SAP administrator privileges and granted to bad actors who allow unauthorized access to SAP data and system resources.
Specifically, the attack chain first uses CVE-2025-31324 to avoid authentication and uploads the malicious payload to the server. It then exploits the Deserialization vulnerability (CVE-2025-42999) to unpack the payload and execute it with increased permissions.
“The publication of this escape gadget is particularly concerned due to the fact that it can be reused in other contexts, such as taking advantage of the escape vulnerability recently patched by SAP in July,” warned Onapsis.
This is –
Describing threat actors as having extensive knowledge of SAP applications, the company encourages SAP users to apply the latest fixes as quickly as possible, to see and restrict access to SAP applications from the Internet, and to monitor SAP applications for signs of compromise.
Source link
