A newly discovered exploit in SAP NetWeaver exploits two patched vulnerabilities, CVE-2025-31324 and CVE-2025-42999, allowing attackers to bypass authentication and execute remote code. Threat actors have utilized these flaws since at least March 2025, before they were patched. Different ransomware and espionage groups have weaponized the vulnerabilities against critical infrastructures. The exploit permits unauthorized access to SAP systems, enabling arbitrary command execution and potentially complete system takeover, thus endangering sensitive data and processes.
The existence of the exploit was first reported last week by vx-underground, which said it was released by Scattered Lapsus$ Hunters, a new fluid alliance formed by Scattered Spider and ShinyHunters.
Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been observed weaponizing the flaws, along with several China-nexus espionage crews targeting critical infrastructure networks.
These vulnerabilities allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files, leading to remote code execution and complete takeover.
The exploit cannot only be used to deploy web shells, but also be weaponized for living-off-the-land attacks by executing operating system commands directly with SAP administrator privileges.
Collection
[
|
...
]