A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft.

The exploit in question chains together CVE-2025–31324 and CVE-2025–42999 to bypass authentication and achieve remote code execution, SAP security company Onapsis said.