Researchers have uncovered a chained vulnerability in SAP NetWeaver Visual Composer involving authentication bypass and insecure deserialization. These critical flaws—tracked as CVE-2025-31324 and CVE-2025-42999—are currently being exploited in an active threat campaign targeting exposed Visual Composer servers. Review the details in this Cybersecurity Threat Advisory to reduce your risk from these threats.
What is the threat?
This exploit chain combines an authentication bypass (CVE-2025-31324) with insecure deserialization (CVE-2025-42999) to achieve unauthenticated remote code execution (RCE) at administrator privilege level on SAP NetWeaver systems. Attackers drop malicious web shells that grant persistent access, allowing them to run arbitrary commands, exfiltrate sensitive data, move laterally within the network, and conceal their presence indefinitely.
Why is it noteworthy?
This threat campaign targets SAP NetWeaver Visual Composer, a core platform underpinning business-critical applications across enterprises. Organizations use Visual Composer to orchestrate processes, generate custom analytics, and build front-end applications.
Attackers have weaponized both vulnerabilities as zero-day flaws and are actively exploiting them in the wild. Security teams have observed multiple exploit variants aiming to achieve unauthenticated RCE, underscoring the urgency for remediation.
CVE-2025-42999 is especially insidious. Its underlying technique is highly adaptable. Attackers can repurpose the same deserialization logic to chain with other recently disclosed SAP flaws, dramatically widening the attack surface for any environment that remains unpatched.
What is the exposure or risk?
Organizations that haven’t applied SAP’s April and May 2025 security updates remain vulnerable to full, unauthenticated administrative takeover of their SAP infrastructure. This exposure can lead to service outages and disruptions in mission-critical workflows, persistent web shell implants enabling long-term espionage, data theft, or sabotage. It also opens the door to lateral movement across enterprise systems, significantly amplifying the scope and severity of any breach.
What are the recommendations?
Barracuda recommends the following actions to mitigate risks associated with recent SAP NetWeaver vulnerabilities and strengthen overall system resilience:
- Apply SAP’s security patches for CVE-2025-31324 (released April 2025) and CVE-2025-42999 (released May 2025).
- Apply all related July 2025 deserialization fixes to fully remediate vulnerable components.
- Restrict external access to SAP development and management interfaces, limit exposure to trusted networks and enforcing multifactor authentication (MFA) for administrative accounts.
- Establish an incident response plan for SAP NetWeaver related threats, including procedures for isolating compromised servers, collecting forensic evidence, validating system integrity, and restoring clean backups.
- Train operational and security staff on detection methods, patching procedures, and emergency response actions specific to this vulnerability.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/08/public-exploit-for-chained-sap-flaws.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-31324
- https://nvd.nist.gov/vuln/detail/cve-2025-42999
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.