SAP Users Face Urgent Security Threat: VX Underground Publishes Exploit Chain
A serious security threat has emerged for SAP users. VX Underground, a notorious hacking group, has published an exploit for the critical vulnerability CVE-2025-31324 on a Telegram group. This exploit, combined with another vulnerability CVE-2025-42999, can lead to full compromise of targeted SAP environments and data theft.
The exploit chain consists of two vulnerabilities. CVE-2025-31324, a missing authorization check in SAP NetWeaver's Visual Composer development server, allows unauthenticated attackers to upload and execute malicious files. The second vulnerability, CVE-2025-42999, is an insecure deserialization issue that risks system confidentiality, integrity, and availability. Together, they enable authentication bypass and remote code execution (RCE).
Onapsis, in collaboration with Mandiant, has published open-source scanners for these vulnerabilities on its GitHub page. These scanners can help organizations detect and mitigate the risks posed by these exploits. It's crucial to note that the exploit published by VX Underground leaves no artifacts on the system, making detection even more challenging.
SAP addressed CVE-2025-31324 in the April 2025 Security Patch Day, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-42999 to its Known Exploited Vulnerabilities catalog in May 2025. Many organizations and managed-service providers have already closed these critical vulnerabilities in their environments following the September 2025 SAP Patchday.
Given the severity of these vulnerabilities and the availability of exploits, it is imperative for SAP users to apply the relevant patches urgently. Failing to do so could result in unauthorized access, data theft, and significant disruption to operations. Organizations are advised to use the open-source scanners provided by Onapsis and Mandiant to ensure their systems are secure.
