Unidentified cybercriminals, known as ShinyHunters, have reportedly published a new exploit for an unpatched vulnerability in SAP software, potentially posing a significant threat to affected systems worldwide.
In a recent development, organizations using SAP NetWeaver are advised to take immediate action to secure their systems against two critical vulnerabilities: CVE-2025-31324 and CVE-2025-42999. These vulnerabilities, which were addressed by SAP in April and May 2025, can potentially be exploited by attackers to bypass authentication and execute remote code.
The exploit code contains version-specific adjustments and adapts based on SAP NetWeaver version detection. To protect against these vulnerabilities, it is crucial for organizations to promptly apply the official SAP security patches released in April and May 2025.
Beyond applying the patches, organizations should also implement proactive measures to detect exploitation attempts. This includes deploying detection mechanisms focused on suspicious file uploads, particularly monitoring for JSP webshell files in the path , as indicators of compromise.
Additional steps include using scanners and open-source tools, such as those released by security researchers like Onapsis, to identify vulnerable or compromised SAP NetWeaver servers. Organizations should also implement continuous monitoring and threat hunting for post-exploitation tactics linked to these vulnerabilities, as the exploit is modular and can be adapted for related SAP flaws.
Security teams should also stay alert for ransomware or espionage groups exploiting these vulnerabilities, as multiple advanced threat groups including Qilin, BianLian, RansomExx, and China-based espionage actors have weaponized this exploit chain in the wild since at least March 2025.
In addition to the aforementioned vulnerabilities, other critical patches include Security Notes 3578900, 3620498, 3610892, 3621771, and 3621236 for related deserialization flaws. Security researchers are also concerned about the potential application of the exploit's gadget to recently patched deserialization vulnerabilities, including CVE-2025-30012, CVE-2025-42980, CVE-2025-42966, CVE-2025-42963, and CVE-2025-42964.
Lastly, organizations should implement comprehensive monitoring for POST, GET, and HEAD requests targeting SAP Visual Composer components to further secure their SAP NetWeaver environments. By combining patch management to close the vulnerabilities with proactive detection of exploit activity and anomalous behaviors in SAP NetWeaver environments, organizations can significantly reduce the risk posed by this critical exploit chain.
Read also:
- Strategies for Adhering to KYC/AML Regulations in India, a Leading Fintech Center (2024)
- Insecure coding practices permeate numerous businesses, potentially leading to significant future difficulties in ensuring system safety.
- Allocating €33 million to combat cyber threats in Latvia
- Chicago Sports Network assigns significant task to Mobile TV Group's 56FLEX for broadcasting sports events
