Full Report
SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day. [...]
Analysis Summary
# Vulnerability: SAP NetWeaver Insecure Deserialization (Chained Exploit)
## CVE Details
- CVE ID: CVE-2025-42999 (Insecure Deserialization) - *Note: A second, related, exploited flaw, CVE-2025-31324 (Lack of Authentication), is chained with this one.*
- CVSS Score: *Score not explicitly provided in the text.* (Severity assumed High based on exploitation)
- CWE: Likely CWE-502: Deserialization of Untrusted Data.
## Affected Systems
- Products: SAP NetWeaver (specifically involving the Visual Composer service/metadata uploader).
- Versions: All versions vulnerable to CVE-2025-42999 until patched.
- Configurations: Vulnerability is exploitable via the metadata uploader service, potentially requiring the `VisualComposerUser` role if only CVE-2025-42999 is targeted post-patching of CVE-2025-31324. The active attacks exploit both vulnerabilities in combination.
## Vulnerability Description
The primary vulnerability discussed here, **CVE-2025-42999**, is an **Insecure Deserialization** flaw within SAP NetWeaver platforms. This flaw is being actively chained with **CVE-2025-31324** (a lack of authentication vulnerability) to allow attackers to execute arbitrary commands remotely without traditional privileges on the system. The combined exploitation bypasses authentication and leverages deserialization to achieve remote command execution (RCE).
## Exploitation
- Status: Exploited in the wild (Attacks observed since January 2025, increasing in March 2025).
- Complexity: Low (When chained with CVE-2025-31324, enabling RCE without privileges).
- Attack Vector: Network (Implied, as vulnerable systems are exposed on the internet).
## Impact
- Confidentiality: High (Allows arbitrary command execution).
- Integrity: High (Allows arbitrary command execution).
- Availability: High (Implied, based on successful command execution).
## Remediation
### Patches
- SAP has released patches addressing both CVE-2025-31324 and CVE-2025-42999. Administrators must apply the necessary updates immediately.
### Workarounds
- Disable the Visual Composer service if possible.
- Restrict access to metadata uploader services.
## Detection
- Indicators of Compromise (IoCs): Activity related to the chaining of CVE-2025-31324 and CVE-2025-42999.
- Detection methods and tools: Monitor SAP NetWeaver servers, especially those exposed on the internet, for suspicious activity related to metadata uploads or unexpected remote command execution originating from the affected services.
## References
- Vendor Advisories: SAP Advisories (Specific bulletin numbers not provided in text).
- Relevant links:
- CISA notice regarding CVE-2025-31324 being added to the KEV Catalog: hxxps://www.cisa.gov/news-events/alerts/2025/04/29/cisa-adds-one-known-exploited-vulnerability-catalog
- CISA KEV Catalog search for the related CVE: hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-31324&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=