Exploit chaining CVE-2025-31324 & CVE-2025-42999 in SAP NetWeaver enables auth bypass and RCE, risking compromise and data theft. A new exploit chaining two vulnerabilities, tracked as CVE-2025-31324 and CVE-2025-42999, in SAP NetWeaver exposes organizations to the risk of system compromise and data theft. CVE-2025-31324 (CVSS score: 10.0) is a missing authorization check in NetWeaver’s Visual Composer […] Exploit chaining CVE-2025-31324 & CVE-2025-42999 in SAP NetWeaver enables auth bypass and RCE, risking compromise and data theft. A new exploit chaining two vulnerabilities, tracked as CVE-2025-31324 and CVE-2025-42999, in SAP NetWeaver exposes organizations to the risk of system compromise and data theft. CVE-2025-31324 (CVSS score: 10.0) is a missing authorization check in NetWeaver’s Visual Composer development server. The flaw in NetWeaver Visual Composer Metadata Uploader stems from a lack of proper authorization checks. This means that unauthenticated attackers, those without valid credentials, can exploit it to upload malicious executable files to the system. Once uploaded, these files can be executed on the host system, potentially leading to a full compromise of the targeted SAP environment. SAP addressed the flaw with the release of the April 2025 Security Patch Day. CVE-2025-42999 (CVSS score: 9.1) is an insecure deserialization in SAP NetWeaver’s Visual Composer development server. The flaw allows privileged users to upload malicious content, risking system confidentiality, integrity, and availability. U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog in May 2025. VX Underground published on X the exploit for the SAP zero-day exploit CVE-2025-31324, which was by “Scattered LAPSUS$ Hunters ShinyHunters” on a Telegram group. "Scattered Lapsus$ Hunters (UNC3944)", have released an alleged SAP7 0day exploit onto Telegram.I can't confirm or deny if it's an actual 0day, I have no way to test or confirm anything. However, it is fully weaponized.I've uploaded it to VXUGhttps://t.co/rCLwMHpY0w— vx-underground (@vxunderground) August 15, 2025
Published: 2025-08-20T00:01:53