The exploit, published on August 15, 2025, by VX Underground via X (formerly Twitter), was allegedly distributed by the threat group “Scattered LAPSUS$ Hunters – ShinyHunters” through a Telegram channel.
CVE-2025-31324, affecting SAP NetWeaver Visual Composer, carries the maximum CVSS severity score of 10.0, enabling unauthenticated attackers to achieve complete system compromise.
The exploit chains this vulnerability with CVE-2025-42999, a deserialization flaw discovered by Onapsis Research Labs through their Global SAP Threat Intelligence Network.
The attack vector operates through a sophisticated two-stage exploitation process: attackers first leverage the missing authentication vulnerability (CVE-2025-31324) to bypass security controls, then exploit the deserialization flaw (CVE-2025-42999) to execute malicious payloads with SAP administrator privileges.
This combination enables remote code execution (RCE) and facilitates “living off the land” techniques, allowing attackers to execute operating system commands without deploying persistent artifacts.
The published exploit demonstrates threat actors’ deep knowledge of SAP architecture, utilizing specific custom SAP classes, including com.sap.sdo.api.* and com.sap.sdo.impl.* as fundamental components of the deserialization gadget.
The exploit dynamically adjusts payloads based on SAP NetWeaver versions, indicating a sophisticated understanding of version-specific implementation differences.
Security researchers express particular concern regarding the reusability of this deserialization gadget across other SAP components, potentially enabling exploitation of additional vulnerabilities discovered in July 2025.
The following table summarizes the critical SAP vulnerabilities requiring immediate attention:
| CVE ID | CVSS Score | SAP Security Note | Vulnerability Type | Patch Status |
|---|---|---|---|---|
| CVE-2025-31324 | 10.0 | 3594142 | Authentication Bypass | Patched April 2025 |
| CVE-2025-42999 | 9.1 | 3604119 | Deserialization | Patched May 2025 |
| CVE-2025-30012 | 10.0 | 3578900 | Deserialization | Patched July 2025 |
| CVE-2025-42980 | 9.1 | 3620498 | Deserialization | Patched July 2025 |
| CVE-2025-42966 | 9.1 | 3610892 | Deserialization | Patched July 2025 |
Organizations must immediately apply all available SAP security patches, particularly Security Notes 3594142 and 3604119.
Additional mitigation strategies include restricting internet access to SAP applications and implementing comprehensive monitoring for indicators of compromise, including unexpected file uploads and unusual process execution.
The publication of this exploit code typically triggers subsequent attack waves, making immediate patch deployment critical for preventing system compromise, data theft, and business disruption.
Organizations utilizing Onapsis platforms benefit from existing comprehensive coverage, while open-source scanners remain available from Onapsis and Mandiant for vulnerability assessment.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post ShinyHunters Allegedly Release Exploit for SAP 0-Day Vulnerability appeared first on Cyber Security News.
Four players in Big Walk. A game about an annoying goose with a button dedicated…
It’s about time. The iPhone 17E is a better value than the 16E was when…
For the record: if you’re getting an iPad Air, you should also get the keyboard…
A UK newspaper has posted a major leak from the set of HBO's Harry Potter…
If the absurd silliness of 2019’s Untitled Goose Game is the type of thing that…
Sony is reportedly testing dynamic pricing on the PlayStation Store. As first reported by PSprices,…
This website uses cookies.