SAP Patches Second Critical NetWeaver Flaw After Researchers Link It to Chained Zero-Day Attacks
SH
Samir Haddad Vulnerability analyst · Updated 05:34 PM UTC
SAP patched CVE-2025-42999, a critical NetWeaver Visual Composer deserialization flaw linked to chained attacks that followed exploitation of CVE-2025-31324.
SAP has patched a second critical flaw in NetWeaver Visual Composer after researchers linked it to chained attacks against enterprise systems. The May fix addresses residual risk from an earlier emergency patch for a zero-day that exposed affected servers to remote command execution, webshell deployment and follow-on intrusion activity.
The newer vulnerability, CVE-2025-42999, is an insecure deserialization flaw in the SAP NetWeaver Visual Composer Metadata Uploader. SAP addressed it through Security Note 3604119 on May 13, 2025, weeks after issuing an emergency fix for CVE-2025-31324, a separate Visual Composer flaw that allowed unauthenticated attackers to upload malicious files.
The May patch matters because the two bugs appear to sit in the same attack path. CVE-2025-31324 supplied the unauthenticated entry point, while CVE-2025-42999 could be abused through deserialization to deepen compromise. Researchers who reconstructed attacks said the combination enabled remote command execution without credentials in some scenarios.
That distinction is important. On paper, CVE-2025-42999 is not an unauthenticated remote-code-execution bug by itself. Its CVSS 3.1 vector includes high privileges required, and it carries a CVSS 9.1 (Critical) rating. The earlier flaw, CVE-2025-31324, was more severe in isolation, rated CVSS 10.0 by SAP because it allowed unauthenticated upload of executable content to affected systems.
Both vulnerabilities affect SAP NetWeaver Visual Composer / VCFRAMEWORK 7.50, specifically the Metadata Uploader area commonly exposed through:
/developmentserver/metadatauploader
The safest timeline now shows a slow escalation. Reconnaissance and test payloads were observed in January 2025, reports of active exploitation followed by March, confirmed incident-response cases emerged in April, public reporting on the intrusions appeared on April 22, SAP released the emergency fix for CVE-2025-31324 on April 24, and the second patch for CVE-2025-42999 landed on May 13.
Two days later, U.S. cybersecurity authorities added CVE-2025-42999 to the Known Exploited Vulnerabilities catalog, with a June 5, 2025 remediation deadline for covered federal agencies. The earlier flaw, CVE-2025-31324, had already been added to the same catalog after the April emergency patch.
Internet-facing SAP NetWeaver Visual Composer
CVE-2025-31324: unauthenticated upload
Malicious JSP or serialized payload
CVE-2025-42999: insecure deserialization
Command execution with SAP application privileges
Webshells, lateral movement, ransomware risk
The attack path begins with crafted HTTP requests to the Visual Composer Metadata Uploader endpoint. In observed cases, attackers uploaded JSP webshells or other malicious files into SAP web directories, then invoked them through HTTP requests to execute commands. Later analysis found that deserialization behavior in the same component could be abused as part of the chain.
Defenders have been told to look for suspicious .jsp, .java and .class files in SAP directories, including:
/irj/root/
/irj/work/
/irj/work/sync/
Observed webshell names include helper.jsp, cache.jsp, rrx.jsp, dyceorp.jsp and other randomly generated JSP filenames. Investigators have also warned that attackers may not always leave obvious webshell artifacts, because living-off-the-land activity and webshell-less persistence are possible.
Vulnerability
Type
Severity
Patch
Key risk
CVE-2025-31324
Missing authorization / malicious file upload
CVSS 10.0
Security Note 3594142
Unauthenticated upload of executable files
CVE-2025-42999
Insecure deserialization
CVSS 9.1
Security Note 3604119
Deserialization-based compromise when malicious content is processed
The affected component is not installed by default, but it is widely present in SAP Java environments because Visual Composer has long been used to build business application components. Researchers have estimated that Visual Composer may be present in 50% to 70% of SAP Java systems worldwide. Separately, internet exposure scans after disclosure found hundreds of vulnerable public-facing instances, including a snapshot of 427 vulnerable systems on April 28.
The risk is unusually high because SAP systems often sit close to core business processes: finance, procurement, identity data, supply-chain workflows and sensitive operational records. A compromised NetWeaver server can become more than a single-system breach; it can provide a foothold for credential theft, lateral movement, data manipulation or ransomware staging.
The threat activity also does not appear limited to one actor. Incident reporting described multiple waves: an initial zero-day campaign, opportunistic follow-on attacks against still-vulnerable servers, and abuse of webshells already planted by earlier intruders. Some activity showed ransomware or initial-access-broker-style tradecraft, including post-exploitation tooling and attempts to reuse existing access.
For organizations running affected SAP NetWeaver systems, patching only the April flaw is no longer enough. SAP customers need to apply both Security Note 3594142 and Security Note 3604119, then conduct compromise assessment before assuming systems are clean. Webshells and malicious files can remain active even after the vulnerable upload path has been closed.
Immediate defensive priorities include restricting access to /developmentserver/metadatauploader, blocking unauthenticated public access through firewall rules or SAP Web Dispatcher, limiting internal access to authorized administrators, centralizing SAP NetWeaver logs, and reviewing suspicious POST uploads followed by GET requests to web-accessible SAP paths.
Organizations that do not use Visual Composer should disable or remove the component where feasible. Those that cannot patch immediately should implement vendor-supported mitigations, but temporary workarounds should not be treated as a substitute for the May security update.
The broader lesson is clear: the second patch closed residual risk in a vulnerability chain already being used against high-value enterprise systems. For SAP defenders, the job is now bigger than applying updates. They must assume exposure may have preceded disclosure, hunt for compromise dating back to at least March, and treat January activity as an early warning that attackers were testing the path long before the full chain became public.
