SAP Patches Second Zero-Day Flaw Exploited in Attacks

SAP, the German software giant known for its enterprise resource planning (ERP) software, has released urgent security patches to mitigate a second zero-day vulnerability actively exploited in the wild. This new vulnerability, designated CVE-2025-42999, affects the SAP NetWeaver Application Server and has been under active exploitation since at least January 2025. More alarmingly, it was chained with a previously disclosed flaw, CVE-2025-31324, found in SAP NetWeaver Visual Composer to conduct sophisticated, multi-stage cyberattacks.

The Attack Chain: From Exploitation to Persistence

The newly patched CVE-2025-42999 was not an isolated case. Instead, it was part of a coordinated campaign leveraging two zero-day vulnerabilities in SAP systems. CVE-2025-42999 allows unauthenticated remote attackers to execute arbitrary code on vulnerable SAP NetWeaver systems. Attackers chained this with CVE-2025-31324, a vulnerability in SAP Visual Composer, to escalate privileges, deploy persistence mechanisms, and ultimately exfiltrate sensitive data from corporate and government environments.

The attack chain allowed adversaries to silently infiltrate SAP systems and maintain long-term access, bypassing detection and response mechanisms. This type of chaining attack highlights the adversaries’ deep understanding of SAP’s architecture, suggesting they were well-resourced and experienced—likely tied to state-sponsored cyber-espionage campaigns.

CISA Reacts: Federal Response and Mitigation Timeline

In response to the growing threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog on May 13, 2025. This designation triggers a federal directive requiring all U.S. government agencies to secure their SAP NetWeaver instances against CVE-2025-31324 by May 20, 2025.

Though CVE-2025-42999 is not yet listed, it is expected to join the catalog shortly given its use in active campaigns. This inclusion will likely expand the scope of federal mandates to include the newly patched flaw as well, reinforcing the urgency for public and private sector organizations to patch immediately.

Threat Attribution and Likely Actors

The nature of the attacks—sophisticated chaining, stealthy persistence, and targeting of critical SAP infrastructure—points to an Advanced Persistent Threat (APT) group. Analysts monitoring SAP-targeted activity believe the actors behind this campaign are state-sponsored, with motivations aligned with strategic cyber-espionage.

Historical campaigns involving similar SAP zero-days have previously been attributed to APT groups linked to East Asia and Eastern Europe, known for targeting enterprise software to establish beachheads inside government and Fortune 500 networks. While attribution is ongoing, indicators of compromise (IOCs) and command-and-control (C2) infrastructure suggest a long-prepared, coordinated campaign, possibly to support broader intelligence-gathering operations.

Technical Details

• CVE-2025-42999: A remote code execution vulnerability in SAP NetWeaver Application Server, exploitable without authentication. Affects versions deployed in enterprise production environments since at least late 2024.
• CVE-2025-31324: A vulnerability in SAP NetWeaver Visual Composer used to elevate privileges and execute commands at the system level. Exploited in follow-up attacks to deploy malware and backdoors.

Combined, these vulnerabilities can provide a near-complete compromise pathway—from initial access to persistence, lateral movement, and exfiltration. SAP has released updated patches and hardening guides for administrators.

Recommendations and Mitigation Steps

1. Patch Immediately: Apply the latest SAP security updates addressing CVE-2025-42999 and CVE-2025-31324.
2. Audit Logs: Conduct thorough log analysis for signs of suspicious activity dating back to at least January 2025.
3. Segment Networks: Isolate SAP systems from general-purpose enterprise infrastructure wherever possible.
4. Monitor for Persistence: Search for known IOCs, suspicious scheduled tasks, new administrative accounts, and reverse shells.
5. Update Threat Models: Update internal threat models to account for chained SAP vulnerabilities and lateral movement from ERP systems.

Why This Matters

SAP NetWeaver is the backbone of enterprise IT across sectors—finance, healthcare, logistics, energy, and government. The successful exploitation of chained zero-days in such systems represents a high-value compromise. The attackers were not simply looking for financial gain but persistent surveillance and strategic positioning. This raises the stakes dramatically for ERP cybersecurity moving forward.

Moreover, these attacks highlight the growing convergence between traditional IT infrastructure and application-layer targets. Organizations need to broaden their security perspective beyond endpoints and firewalls to include enterprise-grade software stacks, including ERP, CRM, and SCM platforms.

The exploitation of CVE-2025-42999 and CVE-2025-31324 marks a pivotal moment in SAP security, reminding enterprises and governments alike that their core business systems are prime targets in today’s cyber battleground. Timely patching, rigorous segmentation, and proactive threat hunting are no longer optional—they are the new baseline.

For more insights and updates on cybersecurity, AI advancements, and tech news, visit NorthernTribe Insider. Stay secure, NorthernTribe.