Particle.news
Download on the App Store
5 ARTICLES
·
3d ago

Public Exploit Chains SAP NetWeaver Flaws for Admin-Level RCE

Public release of working code lowers the attacker bar, prompting immediate patching of NetWeaver Visual Composer.

SAP
Image

Overview

  • Exploit code posted via vx-underground and traced to a Telegram release attributed to actors linked to Scattered Spider and ShinyHunters chains CVE-2025-31324 with CVE-2025-42999.
  • The attack uses the Visual Composer metadata uploader to bypass authentication and then abuses insecure deserialization to run commands as the SAP administrator, supporting web shells and living‑off‑the‑land actions.
  • SAP addressed the bugs in April and May 2025 (Security Notes 3594142 and 3604119), and CISA has listed the issue in its Known Exploited Vulnerabilities catalog after in‑the‑wild use by ransomware groups and China‑nexus espionage actors.
  • Onapsis warns the released deserialization gadget can be repurposed against other SAP deserialization flaws fixed in July, expanding potential attack paths until those updates are applied.
  • Defenders have new support with open‑source scanners from Onapsis and Mandiant, while Shadowserver still sees 50‑plus internet‑facing NetWeaver servers vulnerable as of August 18, underscoring the need to patch and restrict exposure, including the /developmentserver/metadatauploader endpoint.