Full Report
Ransomware gangs have joined ongoing SAP NetWeaver attacks, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers. [...]
Analysis Summary
# Vulnerability: Chain Exploitation of SAP NetWeaver Vulnerabilities by Ransomware Actors
## CVE Details
- CVE ID: CVE-2025-31324, CVE-2025-42999
- CVSS Score: Not explicitly stated, but implications suggest **High/Critical Severity** due to active exploitation and remote command execution potential.
- CWE: (Not explicitly stated, but likely related to improper access control or code injection based on attack vector)
## Affected Systems
- Products: SAP NetWeaver
- Versions: Unspecified vulnerable versions (Implied to be older/unpatched versions prior to the security updates).
- Configurations: Systems running the Visual Composer service appear to be specifically targeted.
## Vulnerability Description
The report details the active exploitation of at least two chained vulnerabilities in SAP NetWeaver by various threat actors, including ransomware gangs and China-aligned APTs (UNC5221, UNC5174, CL-STA-0048).
1. **CVE-2025-31324:** This vulnerability was previously identified and added to the CISA Known Exploited Vulnerabilities Catalog, indicating active exploitation.
2. **CVE-2025-42999:** This is a second vulnerability, patched as a zero-day as early as March, that was chained with CVE-2025-31324 to achieve **Remote Command Execution (RCE)**.
The successful exploitation allows attackers to gain a persistent backdoor, providing a foothold that facilitates lateral movement into connected Industrial Control Systems (ICS) networks. Attackers have already backdoored hundreds of instances globally.
## Exploitation
- Status: **Actively Exploited in the wild** (Targeted by ransomware gangs and several APT groups).
- Complexity: Implied **Medium to High** as successful exploitation requires chaining two separate vulnerabilities.
- Attack Vector: **Network** (Remote execution on internet-facing SAP systems).
## Impact
- Confidentiality: **High** (Potential for long-term espionage, as indicated by APT activity).
- Integrity: **High** (Ability to gain persistence and execute commands remotely).
- Availability: **High** (Risk of service disruption due to lateral movement into ICS).
## Remediation
### Patches
- Apply the security patches released by SAP addressing **CVE-2025-31324** and **CVE-2025-42999**. (Specific patch versions are not listed in the source material.)
### Workarounds
1. **Disable the Visual Composer service** if upgrading is currently not possible.
2. **Restrict access to metadata uploader services.**
## Detection
- **Known Exploited Status:** CVE-2025-31324 is on the CISA KEV Catalog, triggering mandatory remediation deadlines for US federal agencies (May 20).
- **Monitoring:** Monitor for suspicious activity on SAP NetWeaver servers related to payload execution or unauthorized access to the Visual Composer service functions.
- **Indicators of Compromise:** Search for deployment of unknown backdoors on compromised instances.
## References
- Vendor Advisory: SAP (Implied, as patches were released/mentioned)
- CISA KEV Catalog for CVE-2025-31324: cisa-dot-gov/news-events/alerts/2025/04/29/cisa-adds-one-known-exploited-vulnerability-catalog
- CISA KEV Catalog Search: cisa-dot-gov/known-exploited-vulnerabilities-catalog
- CISA BOD 22-01: cisa-dot-gov/binding-operational-directive-22-01