In this episode, we dive into the active exploitation of two critical zero-day vulnerabilities in SAP NetWeaver—CVE-2025-31324 and CVE-2025-42999. Threat actors have been leveraging these flaws since January 2025 to gain unauthenticated access, upload malicious web shells, and ultimately achieve remote code execution by chaining an insecure deserialization bug. With over 2,000 vulnerable SAP NetWeaver servers exposed online—including deployments at more than 20 Fortune 500 and Global 500 companies—the impact is massive.
We break down how the attack chain works, the tools being deployed (like Brute Ratel), and what this says about modern supply chain security. We also examine the role of Chinese threat actor Chaya_004 and the response from the U.S. government, including CISA’s mandate for federal agencies to patch by May 20. Plus, we discuss SAP’s mitigation guidance and the broader implications of enterprise software zero-days in an increasingly hostile cyber threat landscape.
Tune in to understand why this campaign could be one of the most consequential enterprise breaches of 2025—and what security teams must do now.
