August 20, 2025 By Pierluigi Paganini
Exploit chaining CVE-2025-31324 & CVE-2025-42999 in SAP NetWeaver enables auth bypass and RCE, risking compromise and data theft.
A new exploit chaining two vulnerabilities, tracked as CVE-2025-31324 and CVE-2025-42999, in SAP NetWeaver exposes organizations to the risk of system compromise and data theft.
CVE-2025-31324 (CVSS score: 10.0) is a missing authorization check in NetWeaver’s Visual Composer development server. The flaw in NetWeaver Visual Composer Metadata Uploader stems from a lack of proper authorization checks. This means that unauthenticated attackers, those without valid credentials, can exploit it to upload malicious executable files to the system.
Once uploaded, these files can be executed on the host system, potentially leading to a full compromise of the targeted SAP environment. SAP addressed the flaw with the release of the April 2025 Security Patch Day.
CVE-2025-42999 (CVSS score: 9.1) is an insecure deserialization in SAP NetWeaver’s Visual Composer development server. The flaw allows privileged users to upload malicious content, risking system confidentiality, integrity, and availability. U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog in May 2025.
