SAP NetWeaver Critical RCE Vulnerability Under Mass Exploitation — Patch or Take Offline Now

A critical remote code execution vulnerability in SAP NetWeaver is being actively mass-exploited across hundreds of internet-exposed systems, according to researchers at ReliaQuest and Mandiant. The flaw, tracked as CVE-2025-42999 with a CVSS score of 9.8, allows unauthenticated attackers to upload and execute arbitrary files through SAP's Visual Composer development server component. This is a maximum-severity vulnerability with a trivial exploitation path.

SAP NetWeaver is the integration and application platform underlying many enterprise-critical SAP systems including ERP, supply chain management, and financial applications. It is widely deployed across Fortune 500 companies, government agencies, defense contractors, and healthcare systems globally. The Visual Composer component affected by this vulnerability is enabled by default in many installations and is frequently exposed to the internet for developer access.

In the wild, attackers are uploading JSP web shells to compromised SAP servers, establishing persistent backdoor access. Researchers observed multiple threat actors operating simultaneously on the same compromised hosts, suggesting initial access brokers are selling footholds as fast as they can establish them. Some compromised servers showed evidence of three separate threat actors with overlapping access, each pursuing different objectives ranging from data theft to ransomware staging. CISA added CVE-2025-42999 to the Known Exploited Vulnerabilities catalog, mandating federal agency patching within 48 hours.

Every organization running SAP NetWeaver with Visual Composer enabled and internet-exposed is at immediate risk. This spans manufacturing, energy, financial services, logistics, and government sectors where SAP is the backbone of business operations.

Immediate actions: disable or firewall the SAP Visual Composer component if not in active use, apply SAP Security Note 3594142 immediately, scan all SAP NetWeaver systems for existing web shells using SAP's provided indicators of compromise, and review all recent file uploads and configuration changes in the Visual Composer path. If exploitation is suspected, isolate the affected system and engage incident response before patching, as patching an actively compromised system without full forensic review may destroy evidence.

Mass exploitation of SAP NetWeaver represents attackers going directly after business-critical infrastructure — the systems that run payroll, manage supply chains, and control financial operations for the world's largest organizations.

Source: https://www.bleepingcomputer.com/news/security/sap-netweaver-servers-hacked-in-ongoing-attacks/