Today, 2025, SAP released 16 new Security Notes and updated 2 previously released ones as part of its monthly Security Patch Day. The May update brings urgent attention to several critical vulnerabilities, including an exploited-in-the-wild zero-day flaw, as SAP customers face escalating threats across business-critical applications.
Zero-Day Under Active Exploitation: CVE-2025-31324
One of the most pressing concerns addressed this month is CVE-2025-31324, a Critical (CVSS 10.0) unauthenticated file upload vulnerability in SAP NetWeaver (Visual Composer development server). This flaw allows remote code execution without authentication, enabling attackers to upload malicious files and potentially gain complete control over the system.
SAP had previously issued an out-of-band emergency patch on April 24 after researchers at ReliaQuest observed the vulnerability being actively exploited in the wild. Subsequent investigations by Forescout Vedere Labs and Mandiant linked the exploitation to a Chinese threat actor, with activity traced back to January 2025.
Onapsis has been seeing reconnaissance and payload testing since January 20, with real exploitation attempts starting around February 10.
Other Noteworthy Critical and High-Risk Vulnerabilities
- CVE-2025-42999 (CVSS 9.1) – Insecure Deserialization in SAP NetWeaver
An insecure deserialization vulnerability in the Visual Composer Metadata Uploader could allow attackers to compromise the confidentiality, integrity, and availability of the host system if a privileged user uploads malicious content. - CVE-2025-30018 (CVSS 8.6) – XML Injection in SAP Supplier Relationship Management
The Live Auction Cockpit component is vulnerable to crafted XML file submission, allowing unauthenticated attackers to access sensitive files—raising major confidentiality concerns. - CVE-2025-43010 (CVSS 8.3) – Code Injection in SAP S/4HANA MDL
A lack of input validation in SCM Master Data Layer (MDL) permits authenticated users to overwrite ABAP programs, potentially affecting the system’s integrity and availability.
Additional Vulnerabilities Worth Noting
| CVE ID | Product | Severity | Issue |
|---|---|---|---|
| CVE-2025-43000 | SAP Business Objects BI Platform | High (7.9) | Information Disclosure |
| CVE-2025-43011 | SAP Landscape Transformation | High (7.7) | Missing Authorization Check |
| CVE-2025-43006 | SRM Master Data Catalog | Medium (6.1) | Cross-Site Scripting |
| CVE-2025-43005 | SAP GUI for Windows | Medium (4.3) | Information Disclosure |
A wide range of other medium-severity vulnerabilities were also addressed, impacting platforms like SAP Gateway, SAP Service Parts Management, and Digital Manufacturing dashboards.
Call to Action
Organizations running SAP solutions are strongly urged to apply the May 2025 patches immediately, especially in light of the active exploitation of CVE-2025-31324. Prioritize patching SAP NetWeaver and Visual Composer components and closely monitor systems for indicators of compromise (IoCs) shared by threat intelligence vendors.
