Critical SAP NetWeaver Vulnerabilities Disclosed: CVE-2025-31324 and CVE-2025-42999 Exploitation Risks

A working exploit that concatenates two critical SAP Netweaver vulnerabilities, CVE-2025-31324 and CVE-2025-42999, has been made public by VX Underground, as warned by Onapsis security researchers. This exploit was allegedly released on a Telegram channel associated with a collective of three established cybercrime groups: Scattered Spider, ShinyHunters, and LAPSUS$. Earlier this year, CVE-2025-31324, a missing authentication bug, was exploited by an initial access broker group to upload webshells, paving the way for subsequent ransomware attacks. Following this, opportunistic threat actors leveraged these webshells in further attacks. In mid-May, SAP released fixes for CVE-2025-42999, which addressed a residual risk that persisted after the patching of CVE-2025-31324.

The newly released exploit chains together CVE-2025-31324 with CVE-2025-42999, a deserialization flaw that enables attackers to execute malicious payloads on vulnerable SAP systems. This publication significantly lowers the barrier for exploitation, allowing even less skilled attackers to leverage these vulnerabilities. Onapsis researchers noted that the exploit not only facilitates the deployment of webshells but also enables attackers to execute operating system commands directly, using SAP administrator privileges. While many companies have patched these vulnerabilities, the release of the exploit code introduces new risks, as the deserialization gadget could be repurposed for other vulnerabilities recently patched by SAP. Onapsis recommends that organisations apply the latest security patches, limit access to SAP applications, and monitor for suspicious activities, such as unexpected file uploads or unusual processes. 

Categories: Cybersecurity Threats, Vulnerability Exploitation, SAP Security Risks 

Tags: SAP, Netweaver, Vulnerabilities, Exploit, CVE-2025-31324, CVE-2025-42999, Ransomware, Webshells, Deserialization, Security Patches