Second zero-day in SAP NetWeaver actively exploited

SAP has recently addressed a second zero-day vulnerability, identified as CVE-2025-42999, which was actively exploited in attacks targeting SAP NetWeaver servers.

This discovery followed the earlier identification of CVE-2025-31324, another zero-day flaw in the Visual Composer component, patched in April. The new vulnerability involves insecure deserialization in the Metadata Uploader, allowing attackers to execute arbitrary code on affected systems.

Security researchers observed that threat actors have combined both vulnerabilities in a chain of exploits. Initially, they exploited CVE-2025-31324 to upload malicious files without authentication. Subsequently, they leveraged CVE-2025-42999 to execute these files, achieving remote code execution even on fully patched systems. This tactic enabled the deployment of tools like the sophisticated post-exploitation and red teaming toolkit Brute Ratel, facilitating deeper system compromise.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Investigations revealed that these attacks have been ongoing since at least January, with some linked to a Chinese threat actor known as Chaya_004. The Shadowserver Foundation reported over 2,000 SAP NetWeaver servers exposed online and vulnerable to these exploits, underscoring the widespread risk.

SAP has released patches to address these vulnerabilities and urges all customers using SAP NetWeaver to apply them promptly. Organizations are also advised to review their systems for signs of compromise and implement robust security measures to prevent future attacks.

Source: Bleeping Computer

Analysis

While both vulnerabilities are severe, CVE-2025-31324 poses a higher risk to organizations due to the lack of authentication required for exploitation, making it more accessible to attackers. However, CVE-2025-42999, although requiring privileged access, becomes particularly dangerous when combined with CVE-2025-31324, as attackers can first gain access through the unauthenticated file upload and then escalate their privileges using the deserialization flaw.

These SAP vulnerabilities continue to pose a significant threat due to both their severity and the critical systems they affect. These systems often support essential business operations—such as finance, supply chain, and HR—making them prime targets for threat actors who go on to exfiltrate sensitive data, commit financial fraud, plant ransomware, or establish long-term surveillance within compromised environments.

SAP vulnerabilities have previously been exploited in the past for a range of malicious purposes. One notable case was the RECON vulnerability (CVE-2020-6287), which enabled threat actors to take over SAP systems without authentication and was actively targeted soon after its disclosure.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats related to vulnerable software. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect highly recommends that organizations update SAP NetWeaver instances impacted by CVE-2025-42999 as soon as possible in accordance with SAP’s advisory.

Related Articles

• Max severity zero-day in SAP NetWeaver actively exploited
• Zero-day vulnerability in Ivanti Connect Secure exploited for weeks
• Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers