Enterprise software maker SAP on Tuesday released 16 new and two updated security notes as part of its May 2025 Security Patch Day. Two of the notes address critical vulnerabilities in NetWeaver exploited in the wild.
The most severe is an update to a note released on April 24 to address CVE-2025-31324 (CVSS score of 10/10), a critical-severity bug in NetWeaver’s Visual Composer development server component that has been exploited in the wild since January, for remote code execution (RCE).
Hundreds of NetWeaver servers have been compromised through CVE-2025-31324’s exploitation, and application security firm Onapsis warns that opportunistic attackers are looking to leverage webshells deployed during the initial zero-day attacks.
The company is seeing “significant activity from attackers who are using public information to trigger exploitation and abuse of webshells placed by the original attackers, who have currently gone dark.”
Analysis of the attacks has led to the discovery of another critical defect in NetWeaver’s Visual Composer. Tracked as CVE-2025-42999 (CVSS score of 9.1) and described as an insecure deserialization issue, the vulnerability was resolved with the second critical security note released on SAP’s May 2025 Security Patch Day.
“The attacks we observed during March 2025 (that started with basic probes back in January 2025) are actually abusing both, the lack of authentication (CVE-2025-31324) as well as the insecure deserialization (CVE-2025-42999). This combination allowed attackers to execute arbitrary commands remotely and without any type of privileges on the system,” Onapsis CTO Juan Pablo Perez-Etchegoyen told SecurityWeek.
“Organizations that effectively and timely applied SAP Security Note 3594142 (Patch for CVE-2025-31324), mitigated significantly the risk of exploitation. Organizations should now apply SAP Security Note 3604119 to remove any residual risk on the SAP Applications. This residual risk is basically a deserialization vulnerability only exploitable by users with VisualComposerUser role on the SAP target system,” Perez-Etchegoyen said.
Since the April 2025 security notes were rolled out, SAP also updated two critical notes addressing code injection issues in S/4HANA (CVE-2025-27429) and Landscape Transformation (CVE-2025-31330). Despite the different CVEs, the notes resolve the same flaw.
On Tuesday, SAP released four new and one updated security notes that address high-severity bugs in Supplier Relationship Management, S/4HANA Cloud Private Edition or On Premise, Business Objects Business Intelligence Platform, Landscape Transformation, and PDCE.
The software maker also released 11 new security notes that resolve medium-severity vulnerabilities in various products.
SAP customers are advised to apply the security notes as soon as possible, especially given the ongoing exploitation of CVE-2025-31324.
*Updated with comment from Onapsis.
Related: Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise
Related: SAP Patches Critical Code Injection Vulnerabilities
Related: SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver
Related: SAP Releases 21 Security Patches
