Exploit for critical SAP Netweaver flaws released (CVE-2025-31324, CVE-2025-42999)

A working exploit concatenating two critical SAP Netweaver vulnerabilities (CVE-2025-31324, CVE-2025-42999) that have been previously exploited in the wild has been made public by VX Underground, Onapsis security researchers have warned.

The exploit has allegedly been released on a Telegram channel that claimed to represent a collective of three established cybercrime groups: Scattered Spider, ShinyHunters, and LAPSUS$.

Historical exploitation of CVE-2025-31324

Earlier this year, a suspected initial access broker group abused CVE-2025-31324 – a missing authentication bug that lets attackers upload files without authentication – in zero-day attacks to upload webshells and prepare the way for ransomware attacks.

Those were followed by another wave of attacks mounted by opportunistic threat actors who leveraged the established webshells (from the first zero-day attack) on vulnerable systems.

In mid-May, SAP released fixes for CVE-2025-42999, which changed the mechanism to process certain files in SAP Visual Composer (the vulnerable SAP Netweaver element) and removed “a residual risk that remained after patching CVE-2025-31324.”

The released exploit

The exploit chains together CVE-2025-31324 with CVE-2025-42999, a deserialization flaw that allows them to deserialize the malicious payload and execute that code on the vulnerable SAP system.

The publication of this exploit means more groups, including less skilled attackers, can now leverage these vulnerabilities.

“This exploit further confirms these vulnerabilities can be used to not only deploy webshells, but also ‘live off the land’ by directly executing operating system commands without the need to deploy any artifacts on the target system. These commands are executed with SAP administrator privileges (adm), resulting in full access to SAP data and system resources,” Onapsis researchers explained.

Many companies have already patched these flaws – the Shadowserver Foundation currently detects less than 50 internet-facing SAP Netweaver systems that haven’t yet received patches for CVE-2025-31324 – but the release of the exploit code introduces new risks.

Onapsis warns that the deserialization gadget could be reused “in other contexts, such as exploiting the deserialization vulnerabilities that were recently patched by SAP in July [CVE-2025-30012, CVE-2025-42980, CVE-2025-42966, CVE-2025-42963, CVE-2025-42964].”

“This potentially opens up new attack vectors in other areas of SAP applications. It’s a powerful tool in an attacker’s arsenal, and its publication in the wild is a significant event. Organizations should ensure these SAP vulnerabilities have been also promptly patched in their environments,” they noted.

The researchers have recommended companies to apply the latest security patches from SAP (if they haven’t already), limit access to SAP applications, and monitor SAP applications for suspicious behavior, such as unexpected file uploads or strange processes.

Mandiant and Onapsis have provided open-source scanners that detect indicators of compromise tied to both CVEs.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!