SAP Vulnerability Actively Exploited by Ransomware Groups and Threat Actors
CVE-2025-31324 for the zero-day vulnerability in SAP NetWeaver was officially added to the Known Exploited Vulnerabilities (KEV) catalog by the United States Cybersecurity and Infrastructure Security Agency (CISA) on April 29. CVE-2025-42999 was also added to the KEV catalog on May 15. Both CVEs address critical vulnerabilities in the Visual Composer framework in SAP NetWeaver Java.
The vulnerabilities were added to the catalog based on evidence of active exploitation by threat actors reported by security researchers. The evidence indicates that exploitation attempts began in February this year. Some organizations have observed successful exploitation from March. On May 8, Forescout reported exploitation attempts for CVE-2025-31324 originating from China. On May 18, ReliaQuest confirmed that the Russian ransomware group BrianLan and another ransomware operator called RansomEXX were actively targeting the vulnerability. According to ReliaQuest, “The involvement of groups like BianLian and RansomEXX reflects the growing interest in weaponizing high-profile vulnerabilities for financial gain. These developments emphasize the urgent need for organizations to immediately apply patches, monitor suspicious activity, and strengthen defenses.”
SAP notes 3594142 and 3604119 and the supporting Knowledge Base Articles (KBAs) provide patches for supported versions of SAP NetWeaver Java. Manual instructions are provided in the notes for unsupported versions. Disabling the Visual Composer or the Development Server application are no longer the recommended solutions. The components should be removed by following the instructions in Option 0 of KBA 3593336.
The Cybersecurity Extension for SAP detects SAP solutions vulnerable to CVE-2025-31324 and CVE-2025-42999. It also detects and alerts for attempted and successful exploitation of the vulnerabilities based on relevant signatures and indicators of compromise.