Critical SAP Alert: Breaking Down the Second Zero-Day Exploit in Recent Cyberattacks
In this episode, we explore SAP’s urgent response to a second zero-day vulnerability, CVE-2025-42999, discovered alongside CVE-2025-31324, both actively exploited in recent cyberattacks targeting SAP NetWeaver. These flaws allowed attackers to upload malicious files and execute remote commands, even on patched systems, indicating sophisticated, chained exploitation techniques. Security firms like Onapsis and ReliaQuest have confirmed widespread abuse, linking some activity to the threat group Chaya_004. Over 2,000 SAP servers remain exposed online, with several Fortune 500 firms reportedly compromised. SAP urges immediate patching, disabling Visual Composer where possible, and closely monitoring server activity. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog and requires federal systems to be secured by May 20, 2025. This episode unpacks the vulnerabilities, the threat actors behind them, and the mitigation strategies needed now. Whether you’re in cybersecurity or SAP administration, this discussion offers essential insights to protect your systems from ongoing risks.
