Do Son 
Vulnerable Instance Count (Shadowserver)
The attacks targeting SAP NetWeaver servers, initially believed to stem from the exploitation of a single zero-day vulnerability, have proven to be significantly more severe than first assumed. Researchers have discovered that threat actors leveraged not one but two critical vulnerabilities, enabling authentication bypass and remote code execution on servers without requiring any privileges. These flaws have been cataloged as CVE-2025-31324 and CVE-2025-42999. The former was addressed in April, while the latter received a patch on May 12.
CVE-2025-31324 permits unauthorized file uploads within SAP Visual Composer, creating an avenue for deploying web shells. The second vulnerability, CVE-2025-42999, is rooted in insecure deserialization, allowing attackers to execute commands under the privileges of users with the VisualComposerUser role. Although SAP has not officially confirmed exploitation of the latter, experts at Onapsis have observed coordinated attacks utilizing both vulnerabilities in tandem since January 2025.
These attacks were far from theoretical. According to ReliaQuest, compromised servers were used to deploy JSP-based web shells and host the Brute Ratel toolkit, commonly used in red teaming operations. Similar findings were reported by the watchTowr and Onapsis teams, who documented the presence of backdoors on publicly exposed, unprotected NetWeaver instances.
The situation escalated following revelations from Forescout and Vedere Labs, who attributed a portion of the campaign to a Chinese cyber-espionage group designated Chaya_004. Their findings indicate that the group targeted major multinational corporations, exploiting the vulnerabilities to stealthily infiltrate IT infrastructures.
As of late April, the number of exposed servers was estimated at 1,284, with 474 already under adversarial control. This was reported by the CTO of Onyphe, who noted that no fewer than 20 companies listed in the Fortune 500 and Global 500 were among the victims. By mid-May, data from the Shadowserver Foundation indicated that over 2,040 SAP NetWeaver servers remained accessible online and vulnerable to attack.
Onapsis experts emphasize that the chained exploitation of these two bugs enables complete authentication bypass and remote code execution—even on partially patched systems. This exploit chain is particularly dangerous for environments where the VisualComposerUser role is assigned by default or inadequately managed.
SAP has issued patches and urges customers to promptly apply Security Notes 3594142 and 3604119. As additional precautions, organizations are advised to temporarily disable the Visual Composer component, restrict access to metadata upload services, and monitor servers closely for suspicious activity.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog, mandating all federal agencies to remediate the flaw by May 20 under Binding Operational Directive BOD 22-01. CISA’s advisory underscores that such vulnerabilities often serve as initial access vectors for attackers and pose a serious threat to the integrity of critical infrastructure.
Donate