SAP has released security patches to fix two critical vulnerabilities in SAP NetWeaver servers that have been exploited in recent zero-day attacks. Organizations using SAP NetWeaver are strongly advised to apply these patches immediately to prevent further compromise.
Affected: SAP NetWeaver servers, SAP NetWeaver Visual Composer
Affected: SAP NetWeaver servers, SAP NetWeaver Visual Composer
Keypoints
- SAP has issued patches for two vulnerabilities (CVE-2025-31324 and CVE-2025-42999) exploited in recent zero-day attacks.
- Threat actors used these flaws to upload web shells and backdoors, gaining unauthorized access to vulnerable SAP NetWeaver systems.
- Discovered by security firms such as ReliaQuest, Onapsis, and watchTowr, with some attacks linked to Chinese threat actor Chaya_004.
- Over 2,040 SAP NetWeaver servers are publicly exposed and vulnerable to these exploits, with many already compromised.
- Attackers chained both vulnerabilities to execute remote commands without privileges, especially targeting systems with Visual Composer roles.
- SAP recommends patching affected systems immediately, disabling Visual Composer if possible, and monitoring for suspicious activity.
- CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to secure their systems by May 20.