Public Exploit for Chained SAP Flaws Exposes Unpatched Systems to Remote Code Execution

Aug 19, 2025Ravie LakshmananVulnerability / Cyber Espionage

A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft.

The exploit in question chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution, SAP security company Onapsis said.

• CVE-2025-31324 (CVSS score: 10.0) – Missing Authorization check in SAP NetWeaver’s Visual Composer development server
• CVE-2025-42999 (CVSS score: 9.1) – Insecure Deserialization in SAP NetWeaver’s Visual Composer development server

The vulnerabilities were addressed by SAP back in April and May 2025, but not before they were abused by threat actors as zero-days since at least March.

Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been observed weaponizing the flaws, not to mention several China-nexus espionage crews who have also put them to use in attacks targeting critical infrastructure networks.

The existence of the exploit was first reported last week by vx-underground, which said it was released by Scattered Lapsus$ Hunters, a new fluid alliance formed by Scattered Spider and ShinyHunters.

“These vulnerabilities allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files,” Onapsis said. “This can lead to remote code execution (RCE) and a complete takeover of the affected system and SAP business data and processes.”

The exploit, the company added, cannot only be used to deploy web shells, but also be weaponized to conduct living-off-the-land (LotL) attacks by directly executing operating system commands without having to drop additional artifacts on the compromised system. These commands are run with SAP administrator privileges, granting bad actors unauthorized access to SAP data and system resources.

Specifically, the attack chain first uses CVE-2025-31324 to sidestep authentication and upload the malicious payload to the server. The deserialization vulnerability (CVE-2025-42999) is then exploited to unpack the payload and execute it with elevated permissions.

“The publication of this deserialization gadget is particularly concerning due to the fact that it can be reused in other contexts, such as exploiting the deserialization vulnerabilities that were recently patched by SAP in July,” Onapsis warned.

This includes –

Describing the threat actors as having extensive knowledge of SAP applications, the company is urging SAP users to apply the latest fixes as soon as possible, review and restrict access to SAP applications from the internet, and monitor SAP applications for any signs of compromise.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!