SAP NetWeaver Under Siege: New Exploit Chains Threaten Global Enterprises

SAP NetWeaver, one of the world’s most critical enterprise platforms, is under active attack from both ransomware groups and state-backed hackers. A newly released exploit combines two devastating vulnerabilities—CVE-2025-31324 and CVE-2025-42999—to bypass authentication and execute malicious code with full administrative privileges. With CVSS scores of 10.0 and 9.1, these flaws rank among the most severe ever discovered in SAP systems.

Although SAP issued patches earlier this year, dozens of unpatched NetWeaver servers remain exposed, leaving organizations vulnerable to complete compromise. The attack chain is straightforward but highly effective:

1. Exploit CVE-2025-31324 (missing authorization check) to upload malicious payloads without authentication.
2. Trigger CVE-2025-42999 (insecure deserialization) to execute the uploaded code at SAP system privilege level.

The result: Remote Code Execution (RCE), enabling attackers to hijack business-critical applications, steal sensitive data, alter financial records, or deploy ransomware across entire corporate landscapes.

Threat actors exploiting these flaws include:

• China-linked APTs such as UNC5221, UNC5174, CL-STA-0048, and Earth Lamia, known for espionage and long-term persistence operations.
• Russian ransomware groups like BianLian, RansomEXX, and Qilin, who are actively monetizing these exploits through extortion and disruption.

Security experts warn that the insecure deserialization technique underpinning CVE-2025-42999 could resurface in future SAP vulnerabilities, making this exploit chain part of a broader, evolving threat landscape.

The stakes are enormous. Victims already include critical infrastructure sectors:

• Natural gas and water utilities in the UK
• Oil and gas producers in the U.S.
• Medical device manufacturers
• Government ministries in Saudi Arabia

The business consequences range from PII exposure and data corruption to ransomware-driven outages reminiscent of high-profile ERP disruptions in recent years.

Indicators of Compromise (IoCs) include: suspicious .jsp, .java, or .class files in SAP directories, often named helper.jsp, coresap.jsp, or randomized variants. Attackers are also experimenting with webshell-less persistence, making detection even harder.

Recommendations for Defenders:

• Patch immediately using SAP Security Notes 3594142 and 3604119. Note 3604119 fixes the root deserialization flaw and supersedes previous mitigations.
• For unpatchable systems, follow Option 0 from SAP Note 3593336 to completely remove the vulnerable Visual Composer application.
• Restrict network access to the /developmentserver/metadatauploader endpoint using firewall rules or SAP Web Dispatcher.
• Conduct compromise assessments with Onapsis/Mandiant’s open-source scanning tools and review system directories for suspicious files.
• Enhance monitoring for deserialization exploits, webshell access, and “living-off-the-land” persistence techniques.

This wave of SAP exploitation demonstrates a sobering truth: critical business applications are now prime ransomware and APT targets. Organizations running SAP must treat ERP security with the same urgency as endpoint and cloud defenses—or risk catastrophic business disruption.

#SAPNetWeaver #CVE202531324 #CVE202542999 #RansomEXX #BianLian #Qilin #UNC5221 #EarthLamia #DeserializationExploit #ERPsecurity #CriticalInfrastructure #Ransomware #APT