CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

New Exploit Poses Threat to SAP NetWeaver Instances

A new public exploit chains two critical flaws in SAP NetWeaver, exposing unpatched instances to code execution attacks. The post New Exploit Poses Threat to SAP NetWeaver Instances appeared first on SecurityWeek.

SAP vulnerabilities

Dozens of SAP NetWeaver instances are susceptible to compromise after a threat actor released a new working exploit that chains two critical-severity vulnerabilities for code execution.

The flaws, tracked as CVE-2025-31324 (CVSS score of 10) and CVE-2025-42999 (CVSS score of 9.1), are described as a missing authorization check issue and an insecure deserialization bug, and were resolved with security notes released in April and May, respectively.

Both security defects had been exploited in the wild before fixes were rolled out for them, for the deployment of web shells and remote command execution. Ransomware groups such as BianLian and RansomEXX, and Chinese APTs were seen targeting them.

On Friday, threat intelligence and research project Vx-Underground warned that someone apparently linked to the Scattered Spider cybercrime group released on Telegram a new – allegedly zero-day – exploit targeting SAP NetWeaver instances.

After analyzing the exploit, enterprise application security firm Onapsis concluded that it was actually built to chain the known flaws CVE-2025-31324 and CVE-2025-42999 for the execution of arbitrary system commands with administrator privileges.

“In essence, the attackers first use the missing authentication vulnerability (CVE-2025-31324) to access the critical functionality without authentication and get their malicious payload to the server. Then, they exploit the de-serialization flaw (CVE-2025-42999) to deserialize the malicious payload and execute that code with the privileges of the SAP system,” Onapsis explains.

The security firm warns that the deserialization gadget in this exploit could be reused in other contexts, such as the exploitation of deserialization flaws that SAP patched in July.

“This potentially opens up new attack vectors in other areas of SAP applications. It’s a powerful tool in an attacker’s arsenal, and its publication in the wild is a significant event. Organizations should ensure these SAP vulnerabilities have been also promptly patched in their environments,” Onapsis notes.

While the exploit does not target new SAP vulnerabilities, NetWeaver instances that have not been patched against CVE-2025-31324 and CVE-2025-42999 are exposed to a fresh wave of attacks.

According to data from The Shadowserver Foundation, over 50 NetWeaver servers were still vulnerable to CVE-2025-31324 as of August 18. The number is significantly lower compared to the 400 vulnerable instances observed at the end of April.

Related: SAP Patches Critical S/4HANA Vulnerability

Related: Hundreds of N-able N-central Instances Affected by Exploited Vulnerabilities

Related: OT Networks Targeted in Widespread Exploitation of Erlang/OTP Vulnerability

Related: Vulnerabilities in Xerox Print Orchestration Product Allow Remote Code Execution

Latest News

CYBERNEWSMEDIAPublisher