Critical Alert: SAP Patches Second Zero-Day Flaw Exploited in Recent Attacks
🎙️ Dive Deeper with Our Podcast!
Explore the Critical Alert: SAP Patches Second Zero-Day Flaw Exploited in Recent Attacks
👉 Listen to the Episode: https://technijian.com/podcast/critical-sap-alert-breaking-down-the-second-zero-day-exploit-in-recent-cyberattacks/
Subscribe: Youtube | Spotify | Amazon
SAP Under Siege: A Second Zero-Day Threat Emerges
SAP has acted swiftly in the face of escalating cyber threats, releasing crucial patches for a second zero-day vulnerability—CVE-2025-42999—that was found exploited alongside a previously addressed flaw. Both vulnerabilities target the widely deployed SAP NetWeaver servers, placing countless organizations at risk of compromise.
In a statement to BleepingComputer, SAP urged all users of SAP NetWeaver Visual Composer to apply these new patches immediately. The security updates were rolled out on May 12, just weeks after another zero-day flaw, CVE-2025-31324, was patched in April following active exploitation.
The Origins: CVE-2025-31324 and Its Impact
The first vulnerability came to light when ReliaQuest detected threat actors uploading JSP web shells and the Brute Ratel red teaming tool to compromised SAP environments. These actions occurred even on fully patched systems, highlighting the danger of a previously unknown exploit—true zero-day behavior.
watchTowr and Onapsis, both cybersecurity powerhouses, confirmed similar exploitation patterns. Attackers were specifically targeting public directories on unpatched servers and embedding web shell backdoors, providing long-term unauthorized access.
New Risk: CVE-2025-42999 and Chained Exploits
The second flaw, CVE-2025-42999, was uncovered during investigations into earlier incidents. While SAP has not formally confirmed exploitation in the wild, Onapsis CTO Juan Pablo Perez-Etchegoyen reported that hackers had been chaining both vulnerabilities since January 2025.
These chains exploited:
- Unauthenticated file upload (CVE-2025-31324)
- Insecure de-serialization (CVE-2025-42999)
This combo gave attackers the power to execute arbitrary commands remotely, bypassing all authentication protocols and elevating privileges—a catastrophic vulnerability for enterprise environments.
Scope of the Breach: Fortune 500 and Global 500 at Risk
The implications are vast. Onyphe CTO Patrice Auffret revealed that 20 major Fortune 500/Global 500 companies were vulnerable, with 474 already compromised as of April. Even more concerning, 1,284 vulnerable instances were found exposed online.
Recent data from the Shadowserver Foundation now tracks over 2,040 SAP NetWeaver servers still exposed to the internet, highlighting the urgency for organizations to act.
Mitigation Measures: SAP and CISA Recommendations
SAP recommends immediate actions:
- Apply Security Notes 3594142 & 3604119
- Disable Visual Composer service if not essential
- Restrict access to metadata uploader services
- Continuously monitor servers for anomalies
The Cybersecurity and Infrastructure Security Agency (CISA) has classified CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch systems before May 20, as per Binding Operational Directive (BOD) 22-01.
Threat Attribution: Who’s Behind These Attacks?
Forescout’s Vedere Labs linked the coordinated activity to a Chinese threat actor tracked as Chaya_004. The group has demonstrated advanced persistence techniques, likely backed by substantial resources.
The exploitation of serialization flaws and upload mechanisms shows that attackers are well-versed in SAP’s internal architecture and security mechanisms.
FAQs About SAP’s Zero-Day Flaws
Q1: What is a zero-day vulnerability?
A zero-day is a security flaw exploited before the vendor has released a patch. It is highly dangerous due to the lack of available defenses.
Q2: How were the SAP NetWeaver vulnerabilities discovered?
The flaws were identified during forensic investigations of unauthorized file uploads and remote command executions in real-world attacks.
Q3: What is CVE-2025-42999?
It’s a deserialization flaw allowing attackers with minimal access (VisualComposerUser role) to execute arbitrary code remotely.
Q4: How serious are these vulnerabilities?
Very serious. They allow attackers to bypass authentication, deploy web shells, and gain persistent control of enterprise systems.
Q5: Is disabling Visual Composer a permanent fix?
While disabling helps reduce risk, applying official patches is the most secure long-term solution.
Q6: What is the deadline set by CISA for CVE-2025-31324 mitigation?
Federal agencies are required to secure affected systems by May 20, 2025.
How Technijian Can Help Protect Your SAP Systems
At Technijian, we specialize in enterprise-grade cybersecurity and SAP environment hardening. Here’s how we ensure your systems stay safe:
- Rapid SAP Patch Management: We deploy critical updates like CVE-2025-42999 and CVE-2025-31324 patches seamlessly.
- Security Posture Assessments: Identify and remediate vulnerabilities before attackers strike.
- 24/7 Threat Monitoring & Response: Detect malicious behavior across SAP servers in real-time.
- Custom SAP Security Solutions: From Visual Composer lockdowns to secure file uploads, we tailor defenses for your unique infrastructure.
- Compliance & Governance Support: Stay aligned with CISA mandates and industry standards.
Reach out today to let Technijian safeguard your SAP assets with unmatched precision and care.
About Technijian
Technijian is a premier managed IT services provider, committed to delivering innovative technology solutions that empower businesses across Southern California. Headquartered in Irvine, we offer robust IT support and comprehensive managed IT services tailored to meet the unique needs of organizations of all sizes. Our expertise spans key cities like Aliso Viejo, Anaheim, Brea, Buena Park, Costa Mesa, Cypress, Dana Point, Fountain Valley, Fullerton, Garden Grove, and many more. Our focus is on creating secure, scalable, and streamlined IT environments that drive operational success.
As a trusted IT partner, we prioritize aligning technology with business objectives through personalized IT consulting services. Our extensive expertise covers IT infrastructure management, IT outsourcing, and proactive cybersecurity solutions. From managed IT services in Anaheim to dynamic IT support in Laguna Beach, Mission Viejo, and San Clemente, we work tirelessly to ensure our clients can focus on business growth while we manage their technology needs efficiently.
At Technijian, we provide a suite of flexible IT solutions designed to enhance performance, protect sensitive data, and strengthen cybersecurity. Our services include cloud computing, network management, IT systems management, and disaster recovery planning. We extend our dedicated support across Orange, Rancho Santa Margarita, Santa Ana, and Westminster, ensuring businesses stay adaptable and future-ready in a rapidly evolving digital landscape.
Our proactive approach to IT management also includes help desk support, cybersecurity services, and customized IT consulting for a wide range of industries. We proudly serve businesses in Laguna Hills, Newport Beach, Tustin, Huntington Beach, and Yorba Linda. Our expertise in IT infrastructure services, cloud solutions, and system management makes us the go-to technology partner for businesses seeking reliability and growth.
Partnering with Technijian means gaining a strategic ally dedicated to optimizing your IT infrastructure. Experience the Technijian Advantage with our innovative IT support services, expert IT consulting, and reliable managed IT services in Irvine. We proudly serve clients across Irvine, Orange County, and the wider Southern California region, helping businesses stay secure, efficient, and competitive in today’s digital-first world.