SAP has released a new wave of security updates, urgently addressing fresh vulnerabilities in its NetWeaver platform—two of which are rated critical, with one already under active exploitation.
In its May 2025 Security Patch Day rollout, SAP published 16 new and two revised security notes. The spotlight falls on a previously disclosed vulnerability, CVE-2025-31324, which has a CVSS score of 10/10. This critical flaw affects the Visual Composer component in SAP NetWeaver and has reportedly been exploited in the wild since January for remote code execution (RCE).
According to application security firm Onapsis, the vulnerability has already led to the compromise of hundreds of NetWeaver servers, with attackers deploying persistent webshells during the early phase of exploitation. These attackers have since gone quiet—but the risk remains. Opportunistic threat actors are now taking advantage of publicly available exploit information to abuse leftover webshells on vulnerable systems.
This active threat prompted further investigation, which uncovered another critical flaw, now tracked as CVE-2025-42999 with a CVSS score of 9.1. This newly discovered issue, also in Visual Composer, is an insecure deserialization vulnerability—a serious bug that can allow attackers to run unauthorized code. SAP responded by issuing a separate critical patch note to contain this emerging threat.
Onapsis commended SAP’s rapid action, noting the company’s swift response in enhancing protections following the discovery of the additional exploit vector.
In addition to the NetWeaver flaws, SAP updated two previously released critical security notes tied to code injection vulnerabilities in S/4HANA (CVE-2025-27429) and Landscape Transformation (CVE-2025-31330). Although listed under separate CVEs, both notes address the same underlying weakness, requiring immediate attention.
SAP also issued five more high-severity patches, impacting systems such as:
- Supplier Relationship Management
- S/4HANA Cloud (Private Edition and On-Premise)
- Business Objects Business Intelligence Platform
- PDCE
- Landscape Transformation
Finally, 11 additional medium-severity security notes were released, covering a variety of SAP products.
Given the active exploitation of CVE-2025-31324, all SAP customers are strongly urged to apply these patches without delay. The risk of further attacks leveraging both existing and newly discovered vulnerabilities remains high, especially as attackers evolve their methods based on public disclosures.
