SAP has released security updates to address a second vulnerability recently exploited in attacks on SAP NetWeaver servers. This is a zero-day vulnerability.
The patch for this new vulnerability, registered as CVE-2025-42999, was released on Monday, May 12. The flaw was discovered while investigating previous zero-day attacks related to another vulnerability in SAP NetWeaver Visual Composer. That earlier bug, which allowed unauthorized users to upload files (CVE-2025-31324), was already fixed in April.
A spokesperson for SAP told BleepingComputer that the company is aware of multiple vulnerabilities in SAP NetWeaver Visual Composer. It strongly advises customers to install the updates to protect themselves. The relevant security advisories are available under numbers 3594142 and 3604119.
Security company ReliaQuest detected the first attacks using CVE-2025-31324 in April. According to their research, attackers placed malicious JSP web shells in public directories. After gaining access to systems via unauthorized file uploads, they used the Brute Ratel tool. Notably, these systems had already been fully patched, suggesting that an unknown vulnerability was involved.
Chinese hacker group
Other security companies, such as watchTowr and Onapsis, also confirmed these malicious activities. They saw hackers placing web shells on systems that had not yet been patched and were accessible via the Internet. According to Vedere Labs, part of Forescout, some of these attacks can be traced back to a Chinese hacker group with the code name Chaya_004.
According to Patrice Auffret, technical director at Onyphe, at the end of April, around 1,284 vulnerable NetWeaver instances were visible via the Internet, of which at least 474 had already been compromised. He noted that the affected organizations included around 20 companies from the Fortune 500 or Global 500 lists.
The Shadowserver Foundation currently tracks more than 2,040 SAP NetWeaver servers that are accessible via the internet and vulnerable.
SAP has not confirmed that the new flaw (CVE-2025-42999) was actively exploited. However, Juan Pablo Perez-Etchegoyen, technical director at Onapsis, claims that attackers have combined both vulnerabilities in their attacks since January.
According to him, these attacks have been exploiting both the lack of authentication and the insecure processing of data since March. This makes it possible to execute commands remotely without access rights. The vulnerability relating to data processing can only be exploited by users with specific rights in the SAP system.
SAP system administrators are advised to install the available patches immediately. In addition, it is recommended to disable the Visual Composer service if possible, restrict access to upload functions, and be alert to suspicious activity on the servers.
Since the attacks began, the US government agency CISA has included the CVE-2025-31324 vulnerability in its list of known exploited vulnerabilities. According to a binding directive, US government agencies are required to secure their systems by May 20 at the latest.