SAP patches recently exploited zero-day in wake of NetWeaver server attacks

4 days ago 8

Image Credit: SAP (Image credit: SAP)

SAP fixed CVE-2025-42999, a 9.1/10 vulnerability in NetWeaver
This one was chained with CVE-2025-31324, which was fixed in April
Fortune 500 companies are apparently at risk

SAP has patched a critical-severity zero-day vulnerability in NetWeaver server that was being chained in attacks targeting some of the world’s biggest enterprises.

The vulnerability is tracked as CVE-2025-42999, and carries a severity score of 9.1/10 (critical). On NVD, it was said that SAP NetWeaver Visual Composer Metadata Uploader is “vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.”

In a statement given to BleepingComputer, SAP said it discovered this flaw when it was investigating a different one, also a zero-day. This one was reported earlier in April this year, and is now tracked as CVE-2025-31324 (10/10 - critical). The two flaws were allegedly being abused in attacks since January 2025.

SAP issues patch

When security researchers first discovered CVE-2025-31324 being abused, it was said that more than 1,200 SAP instances were at risk of being hijacked. Some researchers claimed the number of vulnerable endpoints was somewhat smaller - around 500 instances.

Visual Composer is a development tool that allows users to build web-based business applications without writing code. It’s mostly used to create dashboards, forms, and interactive reports. The Metadata Uploader, on the other hand, is a tool for importing external data models (metadata) into the Visual Composer design environment. This allows developers to connect to remote data sources (web services, databases, or SAP systems).

ReliaQuest, watchTowr, and Onapsis, are just some of the firms that observed the bug being exploited in attacks in which threat actors were dropping web shells on vulnerable servers. SAP, however, told the media that it was not aware of any attacks that impacted customer data or systems.

"Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised," Onyphe CTO Patrice Auffret told BleepingComputer.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via BleepingComputer

Maximum severity vulnerability puts over 1200 SAP NetWeaver servers at risk of hijacking
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article