Blog - SAP Cybersecurity Threats 2025: CVE-2025-31324 & CVE-2025-42999 Exploits, Mitigation & Best Practices

Strengthening SAP Cybersecurity, Navigating Recent Threats and Ensuring Resilience

author

Steve Hudson

Date

June 27 2025

SAP systems have recently come under significant scrutiny due to critical vulnerabilities that have been actively exploited. As more companies rely on SAP for their core business processes, understanding and mitigating these threats is paramount.

Understanding the Recent SAP Vulnerabilities

In April 2025, SAP disclosed a critical vulnerability identified as CVE-2025-31324, affecting the NetWeaver Visual Composer component. This flaw allows unauthenticated attackers to upload arbitrary files, potentially leading to full system compromise. With a CVSS score of 10.0, it represents the highest level of criticality.

Further analysis uncovered a related vulnerability, CVE-2025-42999, a deserialisation flaw in the same component. Attackers have been observed chaining these two exploits to escalate privileges and maintain persistent access in compromised SAP systems.

More technical insight can be found in Onapsis's detailed threat advisory.

Active Exploitation and Threat Landscape

The exploitation of these SAP vulnerabilities has not remained theoretical - it is happening in the wild. Threat actors, including ransomware groups like BianLian and RansomEXX, have weaponised these flaws to deploy web shells and execute malicious payloads within enterprise systems.

This campaign was significant enough for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add both CVEs to its Known Exploited Vulnerabilities (KEV) Catalog, signaling to organisations worldwide that immediate remediation is non-negotiable.

For a deeper dive into the threat actors involved, refer to The Hacker News coverage from May 2025.

SAP's Response and Mitigation Measures

In response to the active exploitation, SAP issued Security Note 3604119 on May 13, 2025, which fully patches CVE-2025-42999 and neutralises the risk associated with CVE-2025-31324. SAP recommends all customers apply this patch, even if previous mitigations have been implemented.

Additionally, SAP’s April 2025 Patch Day included 18 new Security Notes, emphasising SAP’s ongoing commitment to securing its software stack.

Recommendations for SAP Customers

To safeguard SAP environments from current and future cyber threats, we recommend the following steps:

Apply Patches Immediately
Download and apply SAP Note 3604119 without delay.
Audit Your Systems
Perform forensic checks and baseline comparisons to identify indicators of compromise. Tools like Onapsis Assess can assist with vulnerability scans.
Enforce Least Privilege Access
Review and harden access rights in SAP roles and profiles, limiting access to only what users need.
Enhance Monitoring and Alerting
Use SAP Enterprise Threat Detection or third-party SIEM tools integrated with SAP logs for anomaly detection.
Educate End Users and Admins
Conduct regular cybersecurity training, especially around phishing awareness and system hygiene.

The recent surge in SAP-specific threats highlights a crucial reality - business-critical applications are no longer under the radar of cyber attackers, they are a prime target. Addressing vulnerabilities like CVE-2025-31324 and CVE-2025-42999 swiftly and proactively is essential.

At Maslow, we understand that cybersecurity in SAP is a necessity. If you need SAP professionals who are security-savvy or guidance on navigating these changes, get in touch today.