Enterprise software maker SAP on Tuesday released 16 new and two updated security notes as part of its May 2025 Security Patch Day. Two of the notes address critical vulnerabilities in NetWeaver.
The most severe is an update to a note released on April 24 to address CVE-2025-31324 (CVSS score of 10/10), a critical-severity bug in NetWeaver’s Visual Composer development server component that has been exploited in the wild since January, for remote code execution (RCE).
Hundreds of NetWeaver servers have been compromised through CVE-2025-31324’s exploitation, and application security firm Onapsis warns that opportunistic attackers are looking to leverage webshells deployed during the initial zero-day attacks.
The company is seeing “significant activity from attackers who are using public information to trigger exploitation and abuse of webshells placed by the original attackers, who have currently gone dark.”
Analysis of the attacks has led to the discovery of another critical defect in NetWeaver’s Visual Composer. Tracked as CVE-2025-42999 (CVSS score of 9.1) and described as an insecure deserialization issue, the vulnerability was resolved with the second critical security note released on SAP’s May 2025 Security Patch Day.
“SAP did a fantastic job responding quickly to new information and turned around an additional patch to enhance protections for the active exploit in the wild,” Onapsis says.
Since the April 2025 security notes were rolled out, SAP also updated two critical notes addressing code injection issues in S/4HANA (CVE-2025-27429) and Landscape Transformation (CVE-2025-31330). Despite the different CVEs, the notes resolve the same flaw.
On Tuesday, SAP released four new and one updated security notes that address high-severity bugs in Supplier Relationship Management, S/4HANA Cloud Private Edition or On Premise, Business Objects Business Intelligence Platform, Landscape Transformation, and PDCE.
The software maker also released 11 new security notes that resolve medium-severity vulnerabilities in various products.
SAP customers are advised to apply the security notes as soon as possible, especially given the ongoing exploitation of CVE-2025-31324.
Related: Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise
Related: SAP Patches Critical Code Injection Vulnerabilities
Related: SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver
Related: SAP Releases 21 Security Patches