SAP Security Notes & CVEs 2025: Analysis & Threats
The year 2025 is proving to be a pivotal one for SAP security. Even as we reach the halfway mark, the landscape has been particularly active, marked by a significant volume of critical vulnerabilities and SAP Security Notes. In just the first half of 2025, SAP has already released 27 High Priority SAP Security Notes (averaging a CVSSv3 of 8.2) and 14 HotNews (with an average CVSSv3 of 9.8). This report will recap these most critical updates and shed light on the evolving threats impacting SAP environments.
Insecure Deserialization Vulnerabilities: A Major Hidden Danger
A significant number of the most recent critical vulnerabilities impacting SAP applications fall into a dangerous category known as Insecure Deserialization. This occurs when an application converts untrusted data into an object without proper validation. Such a flaw allows attackers to inject malicious instructions, potentially leading to remote code execution (RCE) on your systems, severe data breaches, or denial of service.
If exploited successfully, attackers can gain full control over your systems, posing risks of espionage, sabotage, fraud, or even ransomware deployment, particularly on critical SAP systems. The CVEs discussed in this report, including CVE-2025-30012, CVE-2025-31324, and CVE-2025-42999, are prime examples of vulnerabilities that leverage insecure deserialization, with further details provided below.
Key Vulnerabilities & Campaigns in 2025
Beyond the routine Patch Tuesday releases, the first half of 2025 has been marked by several high-profile security incidents and the active exploitation of specific vulnerabilities impacting SAP environments. These campaigns offer critical insights into the evolving methods of threat actors targeting SAP, demonstrating their increasing sophistication and persistence. Onapsis has been at the forefront of analyzing these threats, leveraging Onapsis Research Labs (ORL) and global SAP Threat Intelligence Network to provide timely insights, develop remediation guidance, and release tools to aid defenders in mitigating these significant risks.
Active Exploitation of CVE-2017-12637
In March 2025 CISA warned of active exploitation of a vulnerability that was originally added to their Known Exploited Vulnerabilities (KEV) catalog in 2017. This vulnerability specifically affects the SAP NetWeaver AS Java Application Server, a component often designed to be internet-facing. For a comprehensive breakdown of this CVE and strategies to address its potential exploitation, refer to our in-depth analysis of CVE-2017-12637.
CVE-2025-31324 : Zero-Day Exploitation
This critical vulnerability, CVE-2025-31324, was initially reported by ReliaQuest on April 22, 2025. It targets SAP Visual Composer, enabling unauthenticated threat actors to upload arbitrary files, which leads to immediate full compromise of the affected system. Although SAP Visual Composer is not a default installation, its widespread enablement as a core component for business process specialists developing applications without coding makes it a significant risk. Recognizing its severity, CISA added this CVE to their Known Exploited Vulnerabilities Catalog on April 29, 2025.
Business Impact of CVE-2025-31324
Achieving <sid>adm access grants the attacker unauthorized access to the underlying SAP Operating System, utilizing the user and privileges of the processes running in the SAP Application Server. This provides full access to any SAP resource, including the SAP system database, without restrictions. Such control permits the attacker to execute several malicious actions, including, but not limited to, shutting down the SAP application or deploying ransomware.
Furthermore, a compromised system can serve as a foothold within the network, allowing the attacker to pivot from this initial entry point and access other internal systems. This leverage is particularly dangerous given the interconnected nature of SAP systems within an enterprise.
The potential for immediate full compromise is a serious matter that demands prioritization by your team. Such an event could lead to malicious and unauthorized business activity affecting critical SAP systems. This includes, but is not limited to, modifying financial records, deploying ransomware, viewing personally identifiable information (PII), corrupting business data, and deleting or modifying logs, traces, and other actions that jeopardize essential business operations.
CVE-2025-42999: Fixing the Root Cause
On May 13, 2025, SAP swiftly released Security Note 3604119. This rapid response followed the responsible disclosure of new information from reconstructed attacks by Onapsis Research Labs (ORL) earlier in May. Security Note 3604119 directly addresses CVE-2025-42999, a vulnerability with a CVSS score of 9.1. Crucially, this patch effectively fixes the underlying root cause of CVE-2025-31324, a finding confirmed by Onapsis Research Labs.
Further underscoring its critical importance, CISA added CVE-2025-42999 to their Known Exploited Vulnerabilities Catalog on May 15, 2025.
For an in-depth analysis and full details on recommended remediations for CVE-2025-42999 and CVE-2025-31324, consult our comprehensive threat brief.
CVE-2025-30018: A New Critical Deserialization Threat
In July’s Patch Day, CVE-2025-30018 (SAP Security Note #3578900) was highlighted. This vulnerability demonstrates to defenders that it could be leveraged in exactly the same way the aforementioned CVEs were, underscoring why prompt patching is essential.
This critical vulnerability is present in a component of the SAP Supplier Relationship Management (SRM) solution. SAP SRM is utilized by procurement teams to manage supplier relationships and automate sourcing and purchasing processes. It handles supplier master data, contract lifecycle, and procurement catalogs, with key processes including sourcing, purchase order management, and supplier performance evaluation.
While SAP SRM is a legacy solution (with customers encouraged to migrate to SAP Ariba or Fieldglass), which fortunately reduces the number of potentially affected organizations, it still remains in service for many organizations who have been managing their supplier relationships and automating their supplier procurement with this application for several years.
Frequently Asked Questions (FAQs)
What is the significance of deserialization vulnerabilities in SAP?
Deserialization vulnerabilities (like CWE-502) are a dangerous class of flaw that can allow attackers to execute unintended code or unauthorized actions by injecting malicious code into serialized data. This can lead to full system compromise, as recently demonstrated in global attack campaigns targeting SAP.
Why is CVE-2025-30012 considered a critical vulnerability?
CVE-2025-30012 is rated CVSS 10.0, the highest possible score, indicating extreme severity. It is a deserialization vulnerability that can be exploited remotely over HTTP(S) with no authentication, leading to immediate full compromise of vulnerable SAP Supplier Relationship Management (SRM) applications.
What is the relationship between CVE-2025-31324 and CVE-2025-42999?
CVE-2025-31324 was the initial zero-day vulnerability actively exploited in SAP Visual Composer. CVE-2025-42999, addressed by SAP Security Note 3604119, was later identified as the underlying root cause, fixing the deserialization vulnerability that enabled the exploitation of CVE-2025-31324.
How quickly do attackers typically exploit newly disclosed vulnerabilities?
Onapsis research has found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. This highlights the critical need for rapid patching.
What is the business impact of a successful SAP system compromise via these vulnerabilities?
A successful exploitation can bypass traditional SAP security controls, granting attackers full control over critical business processes and data. This could result in espionage, sabotage, fraud, or the deployment of ransomware, leading to severe financial, operational, and reputational damage.
Are there tools available to help assess and remediate these vulnerabilities?
Yes, Onapsis, in collaboration with Mandiant, has developed and released open-source tools, including an Indicators of Compromise (IoCs) scanner and blackbox vulnerability scanners, to help organizations identify and assess exposure to CVE-2025-31324 and CVE-2025-42999.
