SAP has released patches to address a second vulnerability, CVE-2025-42999, affecting its SAP NetWeaver tool. The vulnerability involves a privilege escalation issue that, when chained with SAP’s CVE-2025-31324 vulnerability (unauthenticated file upload flaw in SAP NetWeaver Visual Composer), can enable attackers to move from remote code execution (RCE) to complete administrative control over the SAP environment. Continue reading this Cybersecurity Threat Advisory to keep your environment safe.
What is the threat?
The primary threat centers around two critical vulnerabilities in SAP systems: CVE-2025-31324 and CVE-2025-42999. Attackers can chain these vulnerabilities to gain unauthenticated remote code execution and full administrative control over SAP NetWeaver environments. Threat actors, including advanced persistent threat (APT) groups, actively exploit these flaws in the wild to infiltrate SAP landscapes and access high-value data.
Following successful RCE via CVE-2025-31324, attackers have been observed leveraging CVE-2025-42999, a privilege escalation vulnerability in SAP’s backend processing logic. This flaw allows attackers to elevate their access from a general user or web shell context to full SAP administrative privileges, bypassing role-based access controls and security restrictions. Once escalated, attackers can issue privileged SAP commands, access or modify sensitive business data, install persistent backdoors, and disable logging mechanisms. Together, the two vulnerabilities create a clear path from external, unauthenticated access to complete control of the SAP application layer. This makes them an ideal exploitation chain for espionage, data theft, or ransomware deployment.
Why is it noteworthy?
This vulnerability is noteworthy for several reasons. First, the vulnerability targets SAP NetWeaver, a foundational platform that supports mission-critical business applications in many of the world’s largest enterprises. The flaw has already been weaponized in real-world attacks. Second, the attacks are not hypothetical; security firms and SAP confirm that APT groups exploit this vulnerability to target sensitive SAP systems. Espionage and data theft likely motivate these attackers, raising the stakes for affected organizations. Finally, the combination of unauthenticated access, trivial exploitation, and high-value impact makes this one of the most urgent SAP vulnerabilities in recent memory.
What is the exposure or risk?
Organizations using unpatched versions of SAP NetWeaver Visual Composer are at high risk of system compromise, especially if the affected endpoints are accessible from the internet or less restricted internal networks. Successful exploitation could lead to total control over the SAP application environment, including access to proprietary business data, customer records, and operational workflows. Attackers could also leverage access to SAP to move laterally within the corporate network, plant persistent backdoors, or deploy ransomware.
What are the recommendations?
Barracuda strongly recommends that organizations take these additional steps to protect their environment:
- Install all relevant patches for CVE-2025-31324 and CVE-2025-42999 as provided in SAP’s May 2025 security release.
- Use firewalls, reverse proxies, or SAP Web Dispatcher to restrict access to /developmentserver/metadatauploader and other sensitive services.
- Audit logs for suspicious activity such as unauthorized file uploads, unusual POST requests, or execution of unknown scripts.
- Isolate SAP servers from the general network and block access from unauthorized users or systems.
References
For more in-depth information about the threat, please visit the following links:
- https://www.bleepingcomputer.com/news/security/sap-patches-second-zero-day-flaw-exploited-in-recent-attacks/
- https://nvd.nist.gov/vuln/detail/CVE-2025-31324
- https://www.cve.org/CVERecord?id=CVE-2025-42999
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
