Protecting Against Zero Day SAP Vulnerabilities: CVE-2025-31324 & CVE-2025-42999

New Intelligence to Protect SAP from Ransomware and Data Breaches

Woman sitting at a computer surrounded by abstract representations of programming and technology

CVE-2025-31324

Emergency Patch Issued

On April 24, 2025, SAP released an emergency patch for a CVSS 10.0 zero-day vulnerability that affects SAP Visual Composer, an optional but broadly installed component present in 50-70% of SAP Java systems worldwide.

CVE-2025-31324

Confirmed Active Exploitation

This vulnerability is actively being exploited in the wild, as noted by Onapsis Threat Intelligence and multiple IR firms and security researchers. It was first publicly reported by ReliaQuest.

CVE-2025-42999

Exploited in Tandem

Onapsis Research Labs found CVE-2025-31324 is often used with CVE-2025-42999 (insecure deserialization in SAP Visual Composer) for unauthenticated remote code execution. SAP addressed this with Security Note 3604119 (May 13, 2025). Applying both patches is crucial.

CVE-2025-42999

Chained Exploitation Enables Unauthenticated RCE

CVE-2025-42999 becomes far more dangerous when combined with CVE-2025-31324, enabling attackers to upload and execute malicious payloads without authentication. This chaining method has been observed in real-world attacks and leads to full remote code execution.

Woman working at a computer

Read our resource page to learn more about the threat and potential business impact of this critical zero-day vulnerability as well as get recommendations and tools to help you mitigate:

  • Details about the CVE-2025-31324 and CVE-2025-42999 vulnerabilities.
  • Reporting on active exploitation in the wild and observations from Onapsis Research Labs.
  • How to determine if you’ve been exploited.
  • Recommendations on how to patch or mitigate this vulnerability in your essential SAP systems.
  • Get access to an open-source scanning tools and a YARA rule from Onapsis Research Labs.
Read the Latest Threat Updates

Unpacking CVE-2025-31324 and CVE-2025-42999

CVE-2025-31324 is a critical zero-day vulnerability in the SAP NetWeaver Visual Composer component, rated CVSS 10.0. Actively exploited in the wild, this flaw allows unauthenticated remote code execution (RCE) and poses an immediate risk to vulnerable SAP Java systems. In many observed attacks, it is chained with CVE-2025-42999, a related deserialization vulnerability, to enable full system compromise without prior access.

Affected Component

The vulnerabilities reside in the developmentserver/metadatauploader endpoint within SAP Visual Composer (NetWeaver 7.x). Although not installed by default, Visual Composer is enabled in approximately 50–70% of SAP Java systems due to its historical use in no-code business application development. Both CVE-2025-31324 and CVE-2025-42999 exploit this component—one enabling unauthenticated file uploads, the other leveraging insecure deserialization for code execution.

Exploitation Method

Threat actors exploit this issue by sending unauthenticated HTTP POST requests to the vulnerable endpoint, enabling arbitrary file uploads—typically web shells such as helper.jsp or cache.jsp. In observed attack chains, the uploaded payload often contains serialized objects that trigger CVE-2025-42999 upon deserialization, allowing code execution. Successful exploitation results in full system compromise with adm privileges.

Detection and Indicators of Compromise

Systems compromised via CVE-2025-31324 often contain suspicious .jsp, .class, or .java files in the following directories:

  • /irj/root/
  • /irj/work/
  • /irj/work/sync/

In attack chains involving CVE-2025-42999, look for evidence of serialized Java objects or deserialization-related payloads embedded in uploaded files. Refer to SAP Note 3596125 for detailed guidance on identifying indicators of compromise.

Mitigation and Patch Guidance

  • Apply the emergency patch from SAP Security Note 3594142 to remediate CVE-2025-31324
  • Apply SAP Security Note 3604119, released May 13, 2025, to address CVE-2025-42999
  • If patching is not immediately possible, follow the mitigation steps in SAP Note 3593336
  • Onapsis Assess enables identification of unpatched systems across your SAP landscape
  • Onapsis Defend detects and alerts on malicious POST activity targeting SAP Visual Composer
Details & Timeline of CVE-2025-31324 Details & Timeline of CVE-2025-42999 Indicators of Compromise Observed IP Addresses Business Impact of CVE-2025-31324 Remediation Steps for CVE-2025-31324

Why Onapsis Research Labs?

Onapsis Research Labs was the first to observe reconnaissance activity related to CVE-2025-31324 in January 2025, weeks before the vulnerability was officially identified. Our team has since:

  • Identified and documented active exploitation across customer environments
  • Coordinated directly with SAP and incident response teams
  • Released an open-source IOC scanner in partnership with Mandiant
  • Provided comprehensive threat intelligence briefings and mitigation guidance to the SAP security community

As the most experienced SAP cybersecurity research team in the world, Onapsis continues to lead with real-time detection, rapid response, and actionable insights. See below for additional SAP security information and recourses regarding CVE-2025-31324:

ON DEMAND WEBINAR

Onapsis and Mandiant: Latest Intelligence on CVE-2025-31324

Critical SAP Zero-Day Vulnerability Under Active Exploitation

In this webinar with Mandiant you will hear direct insight from leading threat intelligence experts on the active SAP zero-day vulnerability (CVE-2025-31324), its real-world impact, and how your team can respond effectively.

Watch now

Related Articles

Security Week Cybersecurity News, Insights & Analytics
Bleeping Computer
The Register
SAP Insider
ERP Today
Help Net Security

CVE-2025-31324 Frequently Asked Questions

Yes, it is very likely that version of NetWeaver Java is vulnerable. Additionally that version of NetWeaver Java is no longer supported by SAP and as a result SAP will not issue security patches to address this vulnerability on that version. Our recommendation is to follow one of the workaround steps described in SAP Note and have a plan to upgrade that system to a version of NetWeaver Java that is supported by SAP.

The only thing that will change if the SAP Application is not internet-facing is the frequency of exploitation. The vulnerability should still be considered critical and should be acted on immediately. Due to the nature of the vulnerability and how it is exploited, we expect to see automated exploit tools taking advantage of this vulnerability or tools that could easily be executed from within a network. Additionally, this could be leveraged by malicious software such as malware or ransomware.

We are gathering consolidated information related to the targeted industries, but at this stage all critical infrastructure should be considered at high risk based on the level of threat activity Onapsis Research Labs have seen. Having said that, all organizations are at high risk, due to the nature of this vulnerability, the exploitation over HTTP, and the level of threat activity seen over the past couple of days.

In general, Windows-based OSs are a preferred target for Ransomware gangs, because they have everything instrumented when it comes to ransomware, but it is not limited to just windows. I would not assume that if your SAP systems are running on a non-windows OS you are immune from a ransomware attack.

You need to list the Components of the SAP System. If “VISUAL COMPOSER FRAMEWORK”, or VCFRAMEWORK is installed, then the system is vulnerable, unless you apply the patch from SAP Security Note: #3594142 or the mitigations in SAP KB #3593336 (which are basically to make the component unreachable)

If you are an Onapsis customer, you can use Assess to scan all your JAVA systems. Assess will identify not only the systems that have the component, but report an issue for any that have the component and are not secured against the vulnerability.

On April 27, 2025 Onapsis Research Labs released an open-source scanner for CVE-2025-31324. Please see Open-Source Scanner for CVE-2025-31324 for more information.

It depends on whether the vulnerable component was included in the installation of that Solution Manager system. You will have to list the JAVA components of your Java SID, looking for the “VISUAL COMPOSER FRAMEWORK”, or VCFRAMEWORK component.

The vulnerability was not reported by any security researcher. It is unknown who found it, but it was being widely exploited across SAP applications. It is important to stress that this is not the result of theoretical research in a lab, there is active and ongoing exploitation of this vulnerability in the wild.

Further Reading

Want a more in-depth exploration? Start with these related pieces, then visit our Resources page for more.

ALL RESOURCES
Two men pair programming at a computer

Stay Ahead of Vulnerabilities with Onapsis Research Labs

Cybersecurity demands proactive measures, and protecting your SAP systems from the vulnerabilities being exploited is a critical endeavor. Don’t hesitate—reach out to us today to start strengthening your SAP environment’s security. Together, we can ensure your systems remain resilient and safeguarded against evolving threats.

Contact Us