SAP fixes second actively exploited NetWeaver vulnerability

After releasing a patch for the critical and actively exploited CVE-2025-31324 in NetWeaver, SAP has released patches to address a second vulnerability that was actively exploited NetWeaver flaw. 

This vulnerability was discovered during investigations into previous attacks that exploited CVE-2025-31324.

The newly patched flaw is tracked as CVE-2025-42999 (CVSS score 9.1) - An insecure deserialization vulnerability in SAP NetWeaver Visual Composer, patched on May 12, 2025 

The combination of these flaws allowed attackers to execute arbitrary commands remotely without requiring any system privileges. Attackers exploit the lack of authentication (CVE-2025-31324) along with the insecure deserialization vulnerability (CVE-2025-42999).

The attacks have potentially impacted numerous major corporations. According to Juan Pablo Perez-Etchegoyen, CTO of Onapsis, threat actors have been chaining both vulnerabilities in attacks since January 2025. 

The scale of potentially affected systems is substantial. Appproximately 20 Fortune 500/Global 500 companies were vulnerable, with many already compromised. At that time, there were 1,284 vulnerable instances exposed online, with 474 already compromised.

Currently, the Shadowserver Foundation is tracking over 200 SAP NetWeaver servers that remain exposed on the internet and vulnerable to these attacks.

SAP administrators are strongly advised to Apply the latest security patches to all SAP NetWeaver instances, consider disabling the Visual Composer service if possible and restrict access to metadata uploader services.

Update - as of 18th of August 2025, there is a publicly available exploit code for CVE-2025-31324 and hackers are actively using it to attack SAP NetWeaver. CISA added the flaw to its Known Exploited Vulnerabilities catalog. The vulnerability CVE-2025-42999 being chained in attacks against unpatched systems.