Summary Points
- Dozens of SAP NetWeaver instances are vulnerable to a new exploit chaining two critical flaws—CVEs CVE-2025-31324 and CVE-2025-42999—that enable remote code execution without authorization.
- The vulnerabilities, previously exploited in the wild by ransomware groups and APTs, had official patches released in April and May, but many systems remain unpatched.
- The newly analyzed exploit leverages the missing authentication vulnerability to deliver malicious payloads, then uses insecure deserialization to execute code with administrator privileges.
- The deserialization technique used could be repurposed elsewhere, posing a broader threat, and organizations are urged to verify their SAP environments are fully patched against these vulnerabilities.
Key Challenge
Recently, a dangerous exploit targeting SAP NetWeaver instances has emerged, jeopardizing dozens of these systems globally. The exploit, linked to the cybercrime group Scattered Spider and shared on Telegram, combines two serious vulnerabilities—CVE-2025-31324, which bypasses authentication, and CVE-2025-42999, an insecure deserialization bug—to enable attackers to execute arbitrary commands with administrator privileges. This chain allows malicious actors to infiltrate systems that had yet to be patched, leading to potential deployment of web shells and remote command execution by groups such as BianLian, RansomEXX, and state-sponsored Chinese APTs. The vulnerabilities had previously been exploited before official patches were issued; now, the unpatched SAP NetWeaver instances remain at heightened risk, especially as recent data indicates over 50 servers still vulnerable as of August, despite a significant decline from earlier in the year.
The security firm Onapsis analyzed the new exploit and confirmed that it effectively combines the two flaws into a potent tool capable of executing malicious code with administrative privileges. They warn that this deserialization bug could be exploited in other SAP environments, potentially expanding attack vectors across SAP’s ecosystem. Reporting on this development, cybersecurity researchers highlight the urgent need for organizations relying on SAP NetWeaver to apply the latest security patches promptly, as the publication of such a sophisticated exploit into the wild marks a critical escalation in targeted cyber threats against enterprise infrastructure.
Critical Concerns
Dozens of SAP NetWeaver instances remain at significant risk after cybercriminals, linked to groups like Scattered Spider, released a sophisticated exploit that chains two critical vulnerabilities—CVE-2025-31324 (a missing authorization check) and CVE-2025-42999 (insecure deserialization)—to execute arbitrary system commands with administrator privileges. These flaws, previously exploited in the wild by ransomware groups and advanced persistent threat actors to deploy web shells and gain remote control, were patched earlier this year, but many systems still remain unprotected—over 50 as of August—making them vulnerable to a new wave of targeted attacks. The exploit’s ability to reuse the deserialization flaw in different contexts heightens its threat, potentially enabling versatile and widespread exploitation of SAP applications. Organizations neglecting timely patching risk severe operational disruptions, data breaches, and escalating cyber risks driven by increasingly sophisticated, targeted cybercrime activities.
Possible Action Plan
Addressing the emerging threat posed by new exploits targeting SAP NetWeaver instances is crucial for maintaining system security and preventing potential breaches. Timely remediation minimizes the risk of data breaches, service disruptions, and financial losses.
Mitigation Strategies:
-
Patch Deployment: Apply the latest security patches and updates provided by SAP promptly to fix known vulnerabilities.
-
Vulnerability Assessment: Conduct regular scans and assessments to identify and understand existing weaknesses within SAP NetWeaver components.
-
Access Control: Restrict access to SAP environments using strong authentication mechanisms and limit user permissions based on necessity.
-
Network Segmentation: Isolate SAP systems from other enterprise networks to limit the attack surface and contain potential threats.
- Monitoring & Alerts: Implement continuous monitoring and real-time alerting to detect suspicious activities related to exploitation attempts.
Remediation Steps:
-
Incident Response: Develop and execute an incident response plan tailored for SAP-specific security incidents.
-
System Hardening: Disable unnecessary services and features within SAP NetWeaver to reduce potential entry points for attackers.
-
User Training: Educate administrators and users about the latest threats and best practices for security hygiene.
-
Backup & Recovery: Maintain up-to-date backups of critical SAP data and configurations to enable swift recovery in case of compromise.
- Vendor Collaboration: Engage with SAP support for guidance on patches and specific mitigation techniques when new vulnerabilities emerge.
Continue Your Cyber Journey
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Explore engineering-led approaches to digital security at IEEE Cybersecurity.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
