SAP has issued patches to exploit each other in recent attacks targeting the SAP Netwever server as zero-day.
The company issued security updates for this security defect (Cve-2025-42999) On Monday, May 12, saying that it has been tracked as another informal file upload defect ( Cve-2025-31324) Sap netweaver visible in music composer who was fixed in April.
A SAP spokesperson told Blapping Copper, “SAP is aware of and SAP is addressing the weaknesses in the Natawver Visual Musicians.” “We ask all customers to save these patch to use SAP Netwever. Security notes can be found here: 3594142 And 3604119,
Reconsideration First discovered The exploiting attacks of CVE-2025-31324 as a zero-day in April reported that the actor of danger was uploading JSP web shells in public directions and after dissolving customers’ systems through unauthorized file uploads on SAP Netwever. The hacked examples were fully patched, indicating that the attackers used zero-day exploitation.
This malicious activity was also confirmed by cyber security firms Watchtower and also OpasisWho also saw the attackers uploading web shell backdoor on unexpected examples revealed online to the attackers. Vedre Labs of Forescout connected some of these attacks to a Chinese threat actor, it tracks as Chaya_004.
Onyphe CTO Patriss Affrett told Bleepingcomputer at the end of April that “20 Fortune 500/Global 500 companies are somewhat unsafe, and many of them are compromising,” saying that 1,284 weak examples were exposed at that time, 474 had already compromised.
Shadowseerver Foundation is now More than 2040 SAP Netwever server tracking Unsecured to exposed and attacks on the Internet.
New defects were also exploited in zero-day attacks
While SAP did not confirm that the CVE-2025-42999 was exploited in the wild, Onapsis Cto Juan Pablo Perez-Etchegoyen told Bleepingcomputer that the threat actors were chasing both weaknesses in the attacks since January.
“The attacks we saw during March 2025 (which started in January 2025 as it proved to be basic) is actually misusing the two, deficiency of authentication (CVE-2025-31324) as well as Asurakshi D-Serialization (CVE-2015-429999),” Perez-EtcheGegoyen.
“This combination allowed the attackers to execute the command in a remote manner and on the system without any kind of privileges. This residual risk is basically a D-Si-Serialization vulnerability by users with the role of visuals on the SAP target system.”
SAP admins are advised to immediately patch their Netwever institute and consider disabled of visual composer service if possible, as well as restrict access to metadata uploader services and monitor the suspected activity on their server.
Ever since the attacks started, Sisa is couple Cve-2025-31324 blame Known exploitative weaknesses catalogOrdering federal agencies to secure their system by 20 May, as is mandatory Binding Operational Directive (BOD) 22-01,
“These types of weaknesses are frequent attack vectors for malicious cyber actors and pose significant risks for federal enterprises,” Sisa warned.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
