SAP Hit by Second 0Day in a Row — Fortune 500 Infrastructure at Risk of Full Compromise
SAP underestimated the consequences of Visual Composer.
SAP underestimated the consequences of Visual Composer.
Ongoing attacks on SAP NetWeaver servers, initially thought to stem from a single zero-day exploit, have proven far more severe. Researchers have discovered that attackers leveraged two critical vulnerabilities to bypass authentication and execute arbitrary code without any user privileges. Both flaws now have official identifiers: CVE-2025-31324 and CVE-2025-42999. The first was patched in April, the second on May 12.
- CVE-2025-31324 allows unauthorized file uploads in SAP Visual Composer, enabling attackers to deploy web shells.
- CVE-2025-42999 involves unsafe deserialization, allowing command execution with the privileges of a VisualComposerUser role.
Although SAP has not officially confirmed exploitation of the second flaw, Onapsis has reported that both vulnerabilities have been used in combined attacks since January 2025.
These were not theoretical exploits. According to ReliaQuest, compromised servers were used to deploy JSP-based web shells and the Brute Ratel red-teaming tool. Security teams from watchTowr and Onapsis reported similar activity, including the installation of backdoors on publicly exposed and unprotected NetWeaver instances.
The situation worsened with findings from Forescout and Vedere Labs, which linked some of the attacks to the Chinese-speaking cyber group Chaya_004. This group reportedly targeted major international companies, using the SAP flaws to gain stealthy access to IT environments.
As of late April, 1,284 SAP servers were identified as vulnerable, with 474 already compromised, according to Onyphe’s CTO. At least 20 Fortune 500 and Global 500 companies were among the victims. By mid-May, Shadowserver Foundation reported over 2,040 exposed SAP NetWeaver servers online.
Impact Overview (Shadowserver):
- Over 2,000 vulnerable SAP servers
- Hundreds already compromised
- Fortune 500 infrastructure directly impacted
SAP has released critical patches and urges all clients to immediately apply Security Notes:
- 3594142
- 3604119
Additional SAP Security Recommendations:
- Temporarily disable Visual Composer
- Restrict access to metadata upload services
- Closely monitor for suspicious server activity
The U.S. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog, requiring all federal agencies to remediate it by May 20 under BOD 22-01. CISA’s alert emphasizes that such vulnerabilities are prime entry points for attackers and pose a critical risk to infrastructure security.
