Warning of attacks on new SAP Netweaver vulnerability, Chrome and Draytek router
The US IT security authority CISA warns of attacks on a new SAP Netweaver vulnerability as well as on Chrome and Draytek routers.
(Image: heise online / dmk)
The US Cybersecurity Agency, CISA, is currently warning of observed attacks on a new SAP Netweaver vulnerability as well as on Google Chrome and Draytek Vigor routers. Although there is no more detailed information on the attacks themselves, IT managers should quickly patch the vulnerabilities attacked with the available software updates.
Although CISA warns of the attacks in the wild in a security bulletin, it does not, as usual, provide any details on what the attacks look like or what their scope is. The attackers are currently focusing on a new critical vulnerability in SAP Netweaver, which the company only sealed with an update on Tuesday of this week on SAP Patchday. The vulnerability once again affects Visual Composer, which is installed on many Netweaver installations.
Users with access rights can upload untrusted or malicious content that is deserialized and thus apparently executed (CVE-2025-42999 / EUVD-2025-14349, CVSS 9.1, risk “critical”). Admins should apply the update quickly – and also the one from April, as ransomware gangs are now also attacking the Netweaver vulnerability, which was only patched about three weeks ago, in further waves of attacks.
Attacked security leaks in routers and browsers
CISA has also included the vulnerability in Google's Chromium browser in the Known Exploited Vulnerabilities Catalog (KEV). Google closed it with a security update on Thursday night. The developers announced that they were aware of exploit code in the wild. This is now apparently being misused for attacks on Chrome users (CVE-2025-4664 / EUVD-2025-14909, CVSS 4.1, risk “medium”, but “high” according to Google).
Videos by heise
In addition, admins with Draytek Vigor2960 and Vigor300B routers must update the firmware if it is still version 1.5.1.4 or older. The script /cgi-bin/mainfunction.cgi/apmcfgupload can be abused with manipulated arguments to inject commands, and attackers from the network are now doing the same. Exploit code was already available in December and is now probably being used. Firmware 1.5.1.5 or newer plugs the security leak (CVE-2024-12987 / EUVD-2024-51246, CVSS 6.9, risk “medium”).
Even if the extent of the attacks remains unclear, admins should waste no time in downloading and installing the available software updates.
(dmk)
