Source: www.securityweek.com – Author: Ionut Arghire
Enterprise software maker SAP on Tuesday released 16 new and two updated security notes as part of its May 2025 Security Patch Day. Two of the notes address critical vulnerabilities in NetWeaver exploited in the wild.
The most severe is an update to a note released on April 24 to address CVE-2025-31324 (CVSS score of 10/10), a critical-severity bug in NetWeaver’s Visual Composer development server component that has been exploited in the wild since January, for remote code execution (RCE).
Hundreds of NetWeaver servers have been compromised through CVE-2025-31324’s exploitation, and application security firm Onapsis warns that opportunistic attackers are looking to leverage webshells deployed during the initial zero-day attacks.
The company is seeing “significant activity from attackers who are using public information to trigger exploitation and abuse of webshells placed by the original attackers, who have currently gone dark.”
Analysis of the attacks has led to the discovery of another critical defect in NetWeaver’s Visual Composer. Tracked as CVE-2025-42999 (CVSS score of 9.1) and described as an insecure deserialization issue, the vulnerability was resolved with the second critical security note released on SAP’s May 2025 Security Patch Day.
According to Onapsis, the new patch “corrects the underlying risk in the Visual Composer component […] removing a residual risk that remained after patching CVE-2025-31324.”
The second bug was identified after reconstructing one of the original attacks, and organizations are advised to apply patches for both CVE-2025-31324 and CVE-2025-42999, to fully protect their deployments against the ongoing in-the-wild exploitation.
“SAP did a fantastic job responding quickly to new information and turned around an additional patch to enhance protections for the active exploit in the wild,” Onapsis says.
Advertisement. Scroll to continue reading.
Since the April 2025 security notes were rolled out, SAP also updated two critical notes addressing code injection issues in S/4HANA (CVE-2025-27429) and Landscape Transformation (CVE-2025-31330). Despite the different CVEs, the notes resolve the same flaw.
On Tuesday, SAP released four new and one updated security notes that address high-severity bugs in Supplier Relationship Management, S/4HANA Cloud Private Edition or On Premise, Business Objects Business Intelligence Platform, Landscape Transformation, and PDCE.
The software maker also released 11 new security notes that resolve medium-severity vulnerabilities in various products.
SAP customers are advised to apply the security notes as soon as possible, especially given the ongoing exploitation of CVE-2025-31324.
*Updated with additional details on CVE-2025-42999.
Related: Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise
Related: SAP Patches Critical Code Injection Vulnerabilities
Related: SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver
Related: SAP Releases 21 Security Patches
Original Post URL: https://www.securityweek.com/sap-patches-another-critical-netweaver-vulnerability/
Category & Tags: Vulnerabilities,SAP,vulnerability – Vulnerabilities,SAP,vulnerability
Views: 11
