SAP Netweaver exploits CVE-2025-31324 and CVE-2025-42999 publicly released

A working exploit that concatenates two critical SAP Netweaver vulnerabilities, CVE-2025-31324 and CVE-2025-42999, has been made public by VX Underground, as warned by Onapsis security researchers. This exploit was allegedly released on a Telegram channel associated with a collective of three established cybercrime groups: Scattered Spider, ShinyHunters, and LAPSUS$. Earlier this year, CVE-2025-31324, a missing authentication bug, was exploited by an initial access broker group to upload webshells, paving the way for subsequent ransomware attacks. Following this, opportunistic threat actors leveraged the established webshells on vulnerable systems. In mid-May, SAP released fixes for CVE-2025-42999, which altered the file processing mechanism in SAP Visual Composer, addressing residual risks from the earlier patch for CVE-2025-31324.

The newly released exploit chains CVE-2025-31324 with CVE-2025-42999, a deserialization flaw that enables attackers to execute malicious payloads on vulnerable SAP systems. This publication signifies that even less skilled attackers can now exploit these vulnerabilities. Onapsis researchers noted that the exploit allows for direct execution of operating system commands with SAP administrator privileges, granting full access to SAP data and system resources. While many companies have patched these flaws, the Shadowserver Foundation reports that fewer than 50 internet-facing SAP Netweaver systems remain unpatched for CVE-2025-31324. Onapsis cautions that the deserialization gadget could be repurposed to exploit other recently patched vulnerabilities, potentially opening new attack vectors within SAP applications. Organisations are advised to promptly apply the latest SAP security patches, limit access to SAP applications, and monitor for suspicious activities, such as unexpected file uploads or unusual processes.