SAP has issued urgent patches for critical vulnerabilities affecting SAP NetWeaver servers, following zero-day attacks that exploited these flaws. This article details the vulnerabilities, related security recommendations, and the implications for enterprises relying on SAP systems. Stay informed to protect your network and data.
Critical SAP Cyber Security Vulnerabilities Exposed
SAP has promptly addressed two critical vulnerabilities in its SAP NetWeaver servers, recently exploited as zero-day attacks. On May 12, SAP announced security updates for CVE-2025-42999, a flaw discovered while probing another critical vulnerability, CVE-2025-31324, which was previously addressed in April.
“We urge all customers using SAP NETWEAVER to apply these patches immediately to safeguard their systems,” stated a SAP representative. Further information can be found in the security notes: 3594142 & 3604119.
The Threat Landscape: Zero-Day Attacks
In a significant security breach, ReliaQuest highlighted the exploitation of CVE-2025-31324—the initial zero-day vulnerability—where threat actors uploaded JSP web shells to public directories following unauthorized file uploads in SAP NetWeaver. Reports indicate that compromised instances had been fully patched, stressing the attackers’ use of zero-day exploits.
This malicious activity was corroborated by cybersecurity experts from watchTowr and Onapsis, which identified backdoor web shell uploads on vulnerable installations. Notably, Forescout’s Vedere Labs linked some attacks to a Chinese threat actor known as Chaya_004.
Vulnerable Instances: A Widespread Concern
According to Onyphe CTO Patrice Auffret, approximately 20 Fortune 500 companies are currently vulnerable, with many already compromised. Shadowserver Foundation has tracked over 2,040 exposed SAP NetWeaver servers vulnerable to these ongoing attacks.
Understanding the New Vulnerability
While SAP has not confirmed active exploitation of CVE-2025-42999, Onapsis CTO Juan Pablo Perez-Etchegoyen indicated that attackers have been chaining both vulnerabilities since January. Exploiting the lack of authentication (CVE-2025-31324) alongside an insecure de-serialization (CVE-2025-42999) vulnerability allowed attackers to execute arbitrary commands remotely.
SAP administrators are strongly advised to patch their systems immediately and consider disabling Visual Composer services where feasible. Additionally, restrict access to metadata uploader services and consistently monitor for unusual activities on servers.
CISA’s Involvement and Recommendations
As a response to the severe risks these vulnerabilities pose, CISA has included CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog. Federal agencies must secure their systems by May 20, as mandated by Binding Operational Directive (BOD) 22-01.
“Such vulnerabilities often serve as attack vectors for cybercriminals, posing significant risks to the integrity of federal systems,” CISA emphasized in its advisory.
Conclusion: Strengthening Cyber Security Posture
In light of these recent SAP vulnerabilities, every organization utilizing SAP systems must act swiftly to protect sensitive data and infrastructure. Regularly updating security protocols and staying informed about new threats will significantly enhance your cyber security posture.
Frequently Asked Questions (FAQ)
1. What should organizations do to protect against these vulnerabilities?
Organizations should immediately apply the latest security patches, disable unnecessary services, and monitor their infrastructure for unusual activities to mitigate risks effectively.
2. How can businesses stay informed about cyber security threats?
Regularly follow updates from trusted sources like cybersecurity blogs, government advisories, and reputable tech news websites to stay on top of emerging threats and vulnerabilities.
3. What are Zero-Day vulnerabilities, and why are they dangerous?
Zero-Day vulnerabilities are flaws in software that are exploited by attackers before the vendor is aware or has provided a fix. They are particularly dangerous because they are not yet patched, making systems highly susceptible to attacks.