Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SAP NetWeaver Visual Composer exploit chain for auth bypass and RCE (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 53
1 unique sources, 1 articles

Summary

Hide ▲

SAP NetWeaver Visual Composer is facing an actively exploited chain of CVE-2025-31324 and CVE-2025-42999 that enables authentication bypass and remote code execution. The flaw set lets an unauthenticated attacker upload files, run commands, and potentially take over SAP systems and business data. SAP patched the vulnerabilities in April and May 2025, but abuse has been reported since at least March. Public exploitation has widened the risk for exposed SAP deployments.

Related Happenings

Oracle E-Business Suite Cl0p multi-vulnerability exploitation wave

Exploitation Wave
First: 07.10.2025 08:12 Last: 07.10.2025 08:12 Sources 1

About this happening: **Oracle E-Business Suite (EBS)** exploitation tied to **Clop / FIN11** has been ongoing since at least **August 9, 2025**, with **CVE-2025-61882** used for **unauthenticated remo...

Latest development: 03.12.2025 15:23

University of Phoenix disclosed a data breach on its website and through a Phoenix Education Partners 8-K after detecting unauthorized activity on November 21; the school said Clop-linked attackers exploited Oracle E-Business Suite CVE-2025-61882 to steal names, contact information, dates of birth, social security numbers, and bank account and routing numbers tied to current and former students, employees, faculty, and suppliers.

Open Happening

Timeline

  1. 19.08.2025 16:00 1 articles · 9mo ago

    Public exploit disclosure for chained SAP NetWeaver flaws

    Initial Disclosure

    A public exploit chains CVE-2025-31324 and CVE-2025-42999 in SAP NetWeaver's Visual Composer development server to bypass authentication, upload a malicious payload, unpack it, and execute commands with elevated SAP administrator privileges. The chain can enable remote code execution, arbitrary file upload, web shells, living-off-the-land activity, and takeover of SAP systems and business data, and it has been observed in use by ransomware and extortion groups including Qilin, BianLian, and RansomExx as well as China-nexus espionage crews. SAP had already patched the flaws in April and May 2025, but abuse was reported as zero-days since at least March.

    Show sources
    Open in new tab