Two critical vulnerabilities in SAP NetWeaver Java, CVE-2025-31324 and CVE-2025-42999, are being actively exploited by ransomware groups and other threat actors. CISA has added both vulnerabilities to its Known Exploited Vulnerabilities catalog, signaling an urgent need for organizations to take action by applying patches or removing the affected component.
The vulnerabilities exist in the Visual Composer framework of SAP NetWeaver Java and have been under active exploitation since at least February, with successful compromises reported as early as March. Security researchers have identified multiple threat actors, including ransomware groups BrianLan and RansomEXX, exploiting these flaws for financial gain. The evidence underscores the immediate risk to unpatched systems, prompting SAP to release patches and recommend the complete removal of the vulnerable Visual Composer component as the most effective mitigation.
Key Takeaways
- Two critical SAP NetWeaver vulnerabilities, CVE-2025-31324 and CVE-2025-42999, are being actively exploited.
- CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating a significant, active threat.
- Ransomware groups BrianLan and RansomEXX are confirmed to be targeting these vulnerabilities.
- SAP has provided patches via notes 3594142 and 3604119.
- The recommended permanent solution is to remove the Visual Composer component as per KBA 3593336.
What SAP Vulnerabilities Are Being Actively Exploited?
The two vulnerabilities at the center of this threat are CVE-2025-31324 and CVE-2025-42999, both of which affect the Visual Composer framework in SAP NetWeaver Java. Due to evidence of active exploitation, the United States Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog on April 29, followed by CVE-2025-42999 on May 15.
Who is Exploiting These SAP Vulnerabilities?
Security researchers have confirmed that multiple threat actors are exploiting these vulnerabilities. Evidence of active exploitation attempts began to surface in February, with some organizations observing successful exploitation from March. On May 8, Forescout reported that exploitation attempts for CVE-2025-31324 were originating from China.
On May 18, ReliaQuest confirmed that the Russian ransomware group BrianLan and another operator called RansomEXX were actively targeting the vulnerability. According to ReliaQuest, the involvement of these groups highlights a growing trend of weaponizing high-profile vulnerabilities for financial motives and adds urgency for organizations to secure their systems.
How Can You Fix These SAP Vulnerabilities?
SAP has provided patches and clear guidance for remediation. The primary SAP notes addressing these vulnerabilities are 3594142 and 3604119. These notes and their supporting Knowledge Base Articles (KBAs) provide patches for supported versions of SAP NetWeaver Java.
For unsupported versions, manual instructions are available. Importantly, simply disabling the Visual Composer or the Development Server application is no longer the recommended solution. The most secure course of action is to completely remove the components by following the instructions in Option 0 of KBA 3593336.
How Can You Detect Exploitation Attempts?
Continuous monitoring is key to detecting and responding to threats against your SAP landscape. The Cybersecurity Extension for SAP can detect systems vulnerable to CVE-2025-31324 and CVE-2025-42999. It also provides detection and alerting for both attempted and successful exploitation attempts based on relevant signatures and indicators of compromise.
Frequently Asked Questions (FAQ)
What are CVE-2025-31324 and CVE-2025-42999?
These are critical vulnerabilities in the Visual Composer framework of SAP NetWeaver Java. They allow unauthenticated attackers to upload malicious files, potentially leading to a full system compromise, and are being actively exploited by ransomware groups.
What is the recommended solution from SAP?
SAP’s primary recommendation is to completely remove the vulnerable Visual Composer component by following the instructions in KBA 3593336. For systems where the component is required, patches are available via SAP notes 3594142 and 3604119.
Which ransomware groups are exploiting these SAP vulnerabilities?
Security firm ReliaQuest has confirmed that the Russian ransomware group BrianLan and another operator, RansomEXX, are actively targeting these vulnerabilities for financial gain.