HQ/EMEAFind out how we can help your business
SAP has issued security updates to patch a second zero-day vulnerability (CVE-2025-42999) exploited in recent attacks targeting SAP NetWeaver servers.
The flaw was uncovered during the company’s investigation into a previous zero-day vulnerability (CVE-2025-31324), an unauthenticated file upload issue in SAP NetWeaver Visual Composer that was addressed last month.
A spokesperson for SAP confirmed the company’s awareness of the vulnerabilities, stating that they are aware of and have been addressing them. Customers have been urged to apply the newly released patches, referenced in Security Notes 3594142 and 3604119, to protect their systems from exploitation.
The SAP NetWeaver flaw was uncovered last month.
In April, a cybersecurity threat monitoring team discovered the earlier SAP NetWeaver zero-day flaw, CVE-2025-31324.
Investigations revealed threat actors had been using it to upload JSP web shells and the Brute Ratel red team tool into public directories after breaching systems through unauthorised file uploads.
Notably, the targeted instances were fully patched then, suggesting the use of a previously unknown vulnerability.
Furthermore, multiple independent cybersecurity researchers further corroborated this, observing similar attack patterns, including deploying web shell backdoors on unpatched systems exposed to the Internet.
Additional threat intelligence lab analysis linked some malicious activity to a Chinese threat actor identified as Chaya_004.
On the other hand, a nonprofit security organisation monitors over 2,040 SAP NetWeaver servers that are exposed online and vulnerable to such attacks.
Although SAP has not officially confirmed the in-the-wild exploitation of CVE-2025-42999, one security expert revealed that threat actors have been chaining both vulnerabilities since January 2025.
Researchers also explained that the attacks they observed during March 2025, which began with preliminary probes in January, exploited both the unauthenticated file upload flaw (CVE-2025-31324) and an insecure deserialisation issue (CVE-2025-42999).
This exploitation chain allowed attackers to execute arbitrary commands remotely without requiring system privileges.
In addition, the deserialisation flaw remains a residual risk that users can exploit with the VisualComposerUser role on SAP systems.
Experts are urging SAP administrators to apply all relevant patches promptly, consider disabling the Visual Composer service, restricting access to metadata uploader services, and implement monitoring for unusual activity to prevent further compromise.
