It Takes a Cyber Village – Public & Private Partnership Working Together to be More Secure

Threat briefing on Major SAP Zero Day… “SAP Typhoon”

Huge ripple effect across the cyber threat community from two zero-day vulnerabilities discovered in SAP Netweaver Visual Composer with a CVSS score of 10.0 (the highest possible severity) and 9.1, are actively being exploited in the wild, allowing for full system compromise for organizations running SAP. These vulnerabilities are identified with CVE-2025-31324 and CVE-2025-42999.

This is an immense zero-day that could rank as one of the most significant we’ve seen in recent years. Nearly every major enterprise runs SAP software as an essential part of their business operations, including some of our most essential critical infrastructure organizations.  

The cyber community has done an incredible job coming together around this in a true example of public private partnership at its finest. A huge credit to the Onapsis team, including Juan Perez-Etchegoyen and Mariano Nunez, Mandiant (part of Google Cloud) and Charles Carmakal, the EclecticIQ team, Forescout Technologies Inc., ReliaQuest, the Cybersecurity and Infrastructure Security Agency and SAP for the immense public-private coordination effort to help protect organizations from this risk!

What do organizations need to know?

• Vulnerabilities (CVE-2025-31324 and CVE-2025-42999) affect SAP Netweaver Visual Composer, allowing unauthenticated threat actors to remotely execute commands, resulting in immediate full compromise of the targeted system

• Threat actors can abuse this access to gain unrestricted access to SAP business-critical data and processes, including the ability to exfiltrate, modify or delete confidential and/or regulated information. It can also be used to deploy ransomware and move laterally.

• Exploitation bypasses traditional SAP security controls (such as user access and segregation of duties), and may leave no traces in standard SAP application audit logs.

• SAP Netweaver Visual Composer is not installed by default but is broadly enabled because it was a core component used by business process specialists to develop business application components without coding.

• With initial threat activity detected in Jan 2025, observed first exploitation dates back to early March 2025, with attackers deploying persistent webshells and later waves of opportunistic and advanced follow-up attacks ongoing since April 2025. This is a long dwell time that significantly increases our scope of impact.

• This vulnerability is actively being exploited in the wild, as noted by Onapsis Threat Intelligence, multiple IR firms and security researchers. It was first publicly reported by ReliaQuest.

• SAP rapidly issued an emergency patch on April 24, SAP Security Note 3594142 addressing CVE-2025-31324, and it was added to CISA’s KEV catalog on April 29. SAP worked promptly to release an additional Security Note 3604119 on May 13, addressing the residual risk of CVE-2025-42999..

What should organizations do?

• Immediately patch with SAP Security Notes 3604119 and 3594142

• Audit systems for indicators of compromise, especially if Netweaver Visual Composer was active and unpatched during January-May 2025.

• Avoid deprecated mitigations per updated SAP guidance

This vulnerability is serious. If your SAP systems were exposed, you have to assume compromise and take action. Download the Onapsis Research Labs consolidated threat advisory for more information on the vulnerability and how to remediate:

https://onapsis.com/resources/reports/download-sap-cve-2025-31324-cve-2025-42999-report