Overview

• Onapsis analyzed the circulating exploit and confirmed it enables remote command execution on SAP NetWeaver without authentication through a two-CVE chain.
• The published deserialization gadget raises reuse risk against other SAP deserialization flaws recently patched, expanding potential attack paths.
• Shadowserver observed more than 50 internet-exposed NetWeaver systems still vulnerable as of August 18, down from roughly 400 in late April.
• Threat actors have previously used these bugs for web-shell deployment and living-off-the-land techniques with SAP administrator privileges.
• SAP issued fixes in April and May after real-world exploitation began earlier, and vendors now urge immediate patching, restricted internet exposure, and active monitoring.