SAP npm Packages Targeted with Malware ‘Supply Chain Risk’-Patch Now
Supply chain attack
Continue ReadingSAP
Vulnerable ABAP Program Patched by SAP in April Security Updates
SAP security patch day saw the release of 19 new security notes on April 14th. There is 1 update to previously released security note. The update addresses several severe flaws, including critical SQL injection, denial of service (DoS) and code injection vulnerabilities.
Vulnerability Details:
[CVE-2026-27681] SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse is most critical with CVSS score 9.9. This flaw may allow attackers to run arbitrary database queries, potentially compromising sensitive information and system integrity.
SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, is missing authorization check in SAP ERP and SAP S/4 HANA. With a CVSS score of 7.1, this vulnerability could enable unauthorized users to perform restricted actions in both private cloud and on‑premise deployments
Further it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs.
[CVE-2025-64775] Denial of Service Vulnerability in SAP BusinessObjects Business Intelligence Platform, the criticality is medium
[CVE-2026-34264] Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA, medium criticality
Key inputs:
Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure.
The vulnerabilities may trigger denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content or code execution in the victim’s browser.
Patching:
The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application and S4CORE.
The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation.
Refer to
Dec 2025 Security Advisory SAP Security Patch Released, Critical RCE Fixed & DoS Vulnerabilities
Conclusion: SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.
Sources: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2026.html
Sources: https://www.securityweek.com/sap-patches-critical-abap-vulnerability/
SAP Dec 2025 Security Patch Released, Critical RCE Fixed & DoS Vulnerabilities
Critical and High severity flaws in SAP business software, includes remote code execution, code injection, DoS and other vulnerabilities
Continue Reading
Cyber Security News at a Glance; May 2025
For the month of May 2025 here are the Top News including Security Advisory & Blogs
Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit
A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)
The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.
Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days
Microsoft addressed 83 vulnerabilities across its product suite. Among them are 5 zero-day vulnerabilities have been confirmed as actively exploited in the wild. The updates span Windows components, Office, Visual Studio, and other core services.
11 vulnerabilities were rated critical, emphasizing the importance of timely remediation especially for enterprise environments.
5 non-Microsoft CVEs included
78 Microsoft CVEs addressed
Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required
SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.
SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.
CISA is officially changing the way it disseminates online security updates and guidance.
CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.
Updates on May 13
Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.
“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”
Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk
A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching.
Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required
Summary : SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.
SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.
| OEM | SAP |
| Severity | Critical |
| Date of Announcement | 2025-05-13 |
| No. of Vulnerabilities Patched | 16 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The most severe issue, CVE-2025-31324 (CVSS 10.0), is a critical unauthenticated file upload vulnerability that has been exploited in the wild since January 2025 for remote code execution (RCE).
This issue was originally addressed in an SAP security note issued on April 24, 2025, and has since been supplemented by a second vulnerability, CVE-2025-42999, involving insecure deserialization.
These vulnerabilities have been used together in chained attacks to gain full system access on vulnerable SAP NetWeaver servers.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Unauthenticated File Upload (RCE) | CVE-2025-31324 | SAP NetWeaver | Critical | 10.0 |
| Insecure Deserialization (RCE) | CVE-2025-42999 | SAP NetWeaver | Critical | 9.1 |
Technical Summary
Attackers have leveraged two flaws in SAP NetWeaver Visual Composer in chained exploit scenarios to gain unauthorized remote access and execute arbitrary commands.
CVE-2025-31324 enables unauthenticated file uploads, and CVE-2025-42999 allows privileged users to exploit insecure data deserialization for command execution.
These vulnerabilities have impacted hundreds of internet-facing SAP instances, including systems operated by major enterprises.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-31324 | SAP NetWeaver Visual Composer | Unauthenticated file upload vulnerability in development server. | Remote Code Execution (RCE) without privileges |
| CVE-2025-42999 | SAP NetWeaver Visual Composer | Insecure deserialization in Visual Composer user-accessible function. | Remote Code Execution (RCE) without privileges |
Source: SAP
In addition to the actively exploited vulnerabilities, several other High Severity Vulnerabilities were also addressed:
- CVE-2025-30018: SAP Supplier Relationship Management (Live Auction Cockpit) – Multiple vulnerabilities (CVSS 8.6)
- CVE-2025-43010: SAP S/4HANA Cloud Private Edition / On Premise (SCM Master Data Layer) – Code injection (CVSS 8.3)
- CVE-2025-43000: SAP Business Objects Business Intelligence Platform (PMW) – Information disclosure (CVSS 7.9)
- CVE-2025-43011: SAP Landscape Transformation (PCL Basis) – Missing authorization check (CVSS 7.7)
- CVE-2024-39592: SAP PDCE – Missing authorization check (CVSS 7.7)
Remediation:
- Apply Patches Promptly: Install the May 2025 security updates immediately to mitigate risks from CVE-2025-42999 and other high-severity vulnerabilities, including CVE-2025-31324, along with additional security improvements across various SAP products.
General Recommendations:
- Disable Visual Composer Service: If possible, disable the Visual Composer service to further reduce risk.
- Restrict Access to Metadata Upload Functions: Limit access to the metadata uploader to trusted users to prevent unauthorized file uploads.
- Monitor for Suspicious Activity: Continuously monitor the SAP NetWeaver environment for any signs of suspicious activity related to the vulnerabilities.
Conclusion:
- The dual exploitation of CVE-2025-31324 and CVE-2025-42999 underscores the critical need for proactive patching and vigilant monitoring of enterprise SAP environments.
- The vulnerabilities are being exploited by sophisticated threat actors, including the Chinese APT group Chaya_004, with over 2,000 exposed NetWeaver instances and hundreds already compromised.
- In response to the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog and has mandated federal agencies to remediate by May 20, 2025, under Binding Operational Directive 22-01. Organizations are strongly urged to act immediately to protect their SAP environments.
References:
Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild
As per researchers hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. Regarding this urgent patch has been released by SAP to fix CVE-2025-31324, a zero-day vulnerability in SAP NetWeaver Visual Composer.
Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild
The vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.
Several cybersecurity companies have reported active exploitation in the wild.
Summary
| OEM | SAP |
| Severity | Critical |
| CVSS Score | 10.0 |
| CVEs | CVE-2025-31324 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This vulnerability enables remote uploading and execution of malicious files by unauthenticated attackers, potentially compromising the entire system.
It is highly advised to implement patching or mitigation measures right away in order to guard against possible espionage, sabotage, data theft, and operational disruption.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Missing Authorization in Metadata Uploader | CVE-2025-31324 | SAP | Critical | 10.0 |
Technical Summary
The vulnerability stems from a missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer.
Attackers can exploit this by sending crafted unauthenticated POST requests to the development server/meta data uploader endpoint, allowing them to upload arbitrary JSP webshell files.
Once uploaded, attackers can interact with these shells via simple GET requests to execute arbitrary commands, resulting in remote code execution (RCE) with <sid>adm operating system privileges — effectively giving full control over SAP systems.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-31324 | SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) | Missing authorization check at /developmentserver/metadatauploader enables unauthenticated malicious file uploads. Webshells planted can be used to execute OS-level commands, deploy additional malware, and move laterally across the network. | Full system compromise including: – Remote Command Execution – Privilege Escalation – Data Exfiltration – Ransomware Deployment – Potential Espionage/Sabotage/Fraud |
Key Exploitation Details:
- Exploited Path: /developmentserver/metadatauploader
- Common Webshell Files: helper.jsp, cache.jsp, and others with randomized names.
- Post-Exploitation Tools:
- Brute Ratel: Used for C2 operations, credential theft, privilege escalation.
- Heaven’s Gate: 32-to-64 bit transition technique for evading endpoint detection.
Risk Factors:
- Systems where Visual Composer is enabled (even though it is not enabled by default).
- Systems exposed to the internet.
- Systems without custom security measures protecting the Metadata Uploader endpoint.
Remediation:
- Apply SAP Patch: Updated the patches released by SAP without waiting for routine patch cycles.
- Restrict Access: Block external access to the /development server/metadata uploader endpoint via firewall or reverse proxy rules.
- Disable Visual Composer: If Visual Composer is not critical to business operations, disable it to remove the attack surface.
Recommendations:
- Conduct Threat Hunting:
Scan for suspicious JSP files (e.g., helper.jsp, cache.jsp) in these directories:
- /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
- /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work
- /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync
- Monitoring and SIEM: Forward logs from the NetWeaver server to SIEM tools and monitor for unauthorized file upload activity.
- Utilize Open-Source Tools: Use scanners (such as those released by Onapsis) to check system vulnerability.
Conclusion:
Given the criticality and active exploitation of CVE-2025-31324, organizations running SAP NetWeaver Visual Composer should prioritize patching and mitigation efforts. The potential for full system compromise, ransomware attacks, and data exfiltration represents a severe business risk. Immediate action is strongly advised to secure SAP environments and prevent exploitation.
References:
Recent Comments