Researchers at Vx-Underground have flagged a newly released exploit targeting SAP NetWeaver that was shared via Telegram on August 16, 2025. A threat actor, allegedly affiliated with Scattered Spider, claimed they had access to a zero-day vulnerability.
Researchers at software company Onapsis analyzed the exploit, and reported that it chains two previously known vulnerabilities, both of which were patched earlier this year. We reported on these two flaws, tracked as CVE-2025-31324 and CVE-2025-42999, as they were being actively exploited in May 2025.
According to the report from Onapsis, the exploit has a modular design. This means it allows threat actors to reuse and adapt its components across different vulnerabilities and systems.
The CVE-2025-42999 abuses deserialization gadgets and can be repurposed to target other SAP vulnerabilities, including recently patched CVE-2025-42963 and CVE-2025-42964, without needing to develop a new exploit. The chained attack allows adversaries to upload and execute malicious payloads with high privileges, potentially leading to full system compromise.
Analyst insight
This exploit allows threat actors to execute native operating system commands directly on the target system without leaving behind any artifacts. These commands run under the SAP administrator account (adm), granting full access to system resources and sensitive business data.
This “living off the land” approach makes detection more difficult and allows attackers to operate stealthily within compromised environments.
Further, the exploit’s modularity enables threat actors to reuse it for new CVEs, which significantly broadens the attack surface for SAP users. The reuse of deserialization gadgets across SAP components means that even systems with the May 2025 patches applied could be exposed to targeting.
The latest SAP updates included critical fixes that should be reviewed and applied without delay. SAP systems should never be directly exposed to the internet. Enforce strict firewall rules, VPN-only access for administrative interfaces, and multi-factor authentication for all SAP-related services.
By combining endpoint visibility, network telemetry, and contextual threat intelligence, Field Effect MDR offers a layered defense against modular exploits like this one. MSPs benefit from simplified alerting, expert-driven analysis, and automated remediation workflows.
Field Effect MDR focuses on behavioral anomalies and system-level activity rather than relying solely on signature-based detection. This is particularly important for exploits that use “living off the land” techniques, where attackers execute native OS commands without deploying malware.
In addition to real-time detection, Field Effect MDR continuously scans environments for vulnerable software. If SAP NetWeaver components affected by these CVEs are detected, it automatically flags them and provides patching guidance. This proactive approach helps organizations address risks before exploitation occurs.
Following the reports of exploitation, Field Effect issued AROs to ensure clients were aware of the chaining technique and its implications.