Public Exploit Combines Two Critical SAP Vulnerabilities, Leaving Unpatched Systems Open to Remote Code Execution

Date: Aug 19, 2025
Category: Vulnerability / Cyber Espionage

A new exploit has emerged that leverages two critical, now-patched vulnerabilities in SAP NetWeaver, putting organizations at significant risk of system compromise and data theft. This exploit chains CVE-2025-31324 and CVE-2025-42999 to bypass authentication and enable remote code execution, according to SAP security firm Onapsis.

  • CVE-2025-31324 (CVSS score: 10.0) – Lacks authorization checks in SAP NetWeaver’s Visual Composer development server
  • CVE-2025-42999 (CVSS score: 9.1) – Vulnerability due to insecure deserialization in the same server

These vulnerabilities were patched by SAP in April and May 2025, but not before they were exploited as zero-days by threat actors as early as March. Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been seen exploiting these flaws, along with several espionage groups linked to China targeting critical infrastructures.

Public Exploit for Chained SAP Vulnerabilities Poses Risk of Remote Code Execution

August 19, 2025

A concerning new exploit has come to light that leverages two critical security vulnerabilities in SAP NetWeaver, introducing significant risks for organizations that have yet to apply patches. This exploit combines CVE-2025-31324 and CVE-2025-42999, enabling attackers to bypass authentication measures and execute code remotely, according to findings from SAP security firm Onapsis.

CVE-2025-31324, which has received a maximum CVSS score of 10.0, pertains to an inadequate authorization check within SAP NetWeaver’s Visual Composer development server. In contrast, CVE-2025-42999, rated at 9.1, involves insecure deserialization vulnerabilities within the same development environment. While SAP addressed these weaknesses in April and May 2025, evidence indicates that threat actors had already exploited them as zero-day vulnerabilities since at least March.

Targeting both corporate and critical infrastructure systems, multiple ransomware and data extortion groups—including Qilin, BianLian, and RansomExx—have been seen actively weaponizing these flaws. Additionally, several espionage groups linked to China have reportedly utilized these vulnerabilities to conduct targeted attacks, further complicating the security landscape.

Organizations relying on SAP NetWeaver should take immediate action to apply the security updates to safeguard against potential exploitation. In the context of the MITRE ATT&CK framework, attackers employing these vulnerabilities could have initiated the compromise through tactics such as initial access and exploitation of a public-facing application. The techniques used for persistence and privilege escalation may also come into play as attackers traverse the environment following initial compromise.

With the increasing sophistication of cyber threats, it is imperative for business owners to remain vigilant and informed about such vulnerabilities. The evolving landscape of cyber risks demands a proactive approach to cybersecurity, ensuring systems are fortified against both known and emerging threats. It is essential to prioritize timely patching practices and implement robust security measures to mitigate the impacts of potential exploits.

Source link

Related Posts

New GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Techniques

August 19, 2025
Malware / Cyber Attack

Financial institutions, particularly trading and brokerage firms, are currently facing a new threat from a remote access trojan known as GodRAT. According to Kaspersky researcher Saurabh Sharma, this malware is spread through malicious .SCR (screen saver) files disguised as financial documents sent via Skype Messenger. Active as recently as August 12, 2025, the attacks utilize steganography to hide shellcode within image files, enabling the download of the malware from a command-and-control (C2) server. Since September 9, 2024, these screen saver artifacts have targeted regions including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. Based on Gh0st RAT, GodRAT employs a plugin-based architecture to enhance its capabilities for gathering sensitive information and delivering additional payloads like AsyncRAT.

Exploitation of Apache ActiveMQ Vulnerability Leads to DripDropper Malware Deployment on Cloud Linux Systems

August 19, 2025
Linux / Malware

Threat actors are leveraging a nearly two-year-old security vulnerability in Apache ActiveMQ to gain persistent access to cloud-based Linux systems and install the DripDropper malware. In an unexpected turn, these unidentified attackers have been seen patching the exploited vulnerability after gaining access, likely to prevent further exploitation by others and to evade detection, according to a report from Red Canary shared with The Hacker News. “Follow-on command-and-control (C2) tools varied by endpoint and included Sliver and Cloudflare Tunnels, allowing for covert long-term control,” researchers Christina Johns, Chris Brook, and Tyler Edmonds noted.

The attacks exploit a critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0), a remote code execution vulnerability that enables the execution of arbitrary shell commands. This issue was addressed in late October 2023 but has since faced significant exploitation.

FBI Alerts on FSB-Linked Hackers Targeting Unpatched Cisco Devices for Cyber Espionage

Date: Aug 20, 2025 | Cyber Espionage / Vulnerability

A state-sponsored Russian hacking group, identified as Static Tundra, is exploiting a seven-year-old vulnerability in Cisco IOS and Cisco IOS XE software to gain persistent access to targeted networks. Cisco Talos revealed that these attacks are primarily aimed at telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Potential victims are selected based on their “strategic interest” to Russia, with recent targets focusing on Ukraine and its allies amid the ongoing Russo-Ukrainian conflict. The exploited vulnerability, CVE-2018-0171 (CVSS score: 9.8), is a critical flaw in the Smart Install feature of Cisco software, which may allow unauthorized remote attackers to initiate denial-of-service (DoS) attacks or execute arbitrary code.

🔍 Webinar: Uncover and Manage Hidden AI Agents in Your Enterprise Before Hackers Do

📅 Aug 20, 2025
Category: Artificial Intelligence / Enterprise Security

Do you know how many AI agents are currently operating within your organization? If you’re uncertain, you’re not alone—and that’s a significant concern. Every day, AI agents are being deployed across various industries, often initiated by business units eager for quick results, rather than just by IT. This creates a scenario where agents operate unnoticed—without proper identification, ownership, or activity logs. Essentially, they remain invisible.

👉 Register now for “Shadow Agents and Silent Threats: Securing AI’s New Identity Frontier” to learn how to proactively address this escalating issue.

The Hidden Dangers of Shadow AI Agents

Shadow agents aren’t merely benign assistants. If compromised, they can navigate through systems effortlessly, accessing sensitive data or elevating privileges at machine speed. Unlike humans, they are relentless, working around the clock without hesitation.

The reality is that most security programs weren’t designed to handle this challenge. They focus on managing people, not autonomous software agents. As the use of AI continues to rise, these circumstances pose a significant threat.