Interconnected SAP exploits allow remote code execution

A new exploit has emerged that combines two critical, now-patched security flaws in SAP NetWeaver, posing significant risks to organisations regarding system compromise and data theft. This exploit chains together CVE-2025-31324, which has a CVSS score of 10.0 for a missing authorisation check, and CVE-2025-42999, rated at 9.1 for insecure deserialization. SAP addressed these vulnerabilities in April and May 2025, but they were exploited by threat actors as zero-days since at least March. Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have weaponised these flaws, alongside several China-nexus espionage crews targeting critical infrastructure networks.

The exploit allows unauthenticated attackers to execute arbitrary commands on the target SAP system, including uploading malicious files, leading to remote code execution and complete system takeover. The attack chain first utilises CVE-2025-31324 to bypass authentication and upload a malicious payload, followed by exploiting CVE-2025-42999 to unpack and execute it with elevated permissions. Onapsis warns that the deserialization gadget can be reused in other contexts, potentially affecting recently patched vulnerabilities. The company urges SAP users to apply the latest fixes promptly, restrict access to SAP applications from the internet, and monitor for any signs of compromise.