H-ISAC TLP White Threat Bulletin: Publicly Available Exploit Code Chains Critical SAP NetWeaver Flaws

On August 15, 2025, exploit code was released that chains two critical vulnerabilities in SAP NetWeaver’s Visual Composer to bypass authentication and achieve remote code execution.

The flaws, tracked as CVE-2025-31324 (CVSS score of 10) and CVE-2025-42999 (CVSS score of 9.1), are identified as a missing authorization check issue and an insecure deserialization bug, and were addressed in April and May, respectively.

Health-ISAC provides this information to increase situational awareness, encourage users to assess their level of risk to these vulnerabilities, and apply patches to affected instances.

SAP addressed the vulnerabilities in April and May 2025, following reports from security researchers who observed active exploitation. The first vulnerability, CVE-2025-31324, is a missing authorization check flaw that allows an unauthenticated attacker to upload arbitrary files to a vulnerable server. The second vulnerability, CVE-2025-42999, is an insecure deserialization flaw that can be exploited to achieve remote code execution.

View the detailed bulletin below.