Key Takeaways
1. ShinyHunters publicly released exploits for critical SAP vulnerabilities.
2. Unauthenticated attackers can achieve complete system takeover and remote code execution.
3. Immediately apply SAP Security Notes 3594142 and 3604119.
A working exploit targeting critical SAP vulnerabilities CVE-2025-31324 and CVE-2025-42999 has been publicly released by the notorious cybercriminal group “Scattered LAPSUS$ Hunters – ShinyHunters” via Telegram channels, with VX Underground subsequently publishing the weaponized code on the social media platform X.
The exploit chains two severe vulnerabilities in SAP NetWeaver Visual Composer, carrying maximum CVSS scores of 10.0, enabling unauthenticated attackers to achieve complete system compromise and remote code execution capabilities.
Security researchers warn that the public release significantly escalates the threat landscape for organizations running unpatched SAP systems, particularly given the sophisticated nature of the exploit and its potential for widespread deployment.
SAP NetWeaver Exploitation
Onapsis reports that the exploit leverages a devastating combination of authentication bypass and deserialization flaws within SAP NetWeaver Visual Composer infrastructure.
CVE-2025-31324 functions as the initial attack vector, allowing unauthenticated access to critical system functionality, while CVE-2025-42999 serves as the payload delivery mechanism through unsafe deserialization processes.
This dual-vulnerability approach enables attackers to execute arbitrary operating system commands with SAP administrator (adm) privileges, effectively bypassing traditional security controls and gaining unrestricted access to sensitive business data and processes.
The technical implementation demonstrates a sophisticated understanding of SAP architecture, utilizing specific classes such as com.sap.sdo.api.* and com.sap.sdo.impl.* within the exploit framework.
The malicious payload dynamically adapts based on SAP NetWeaver version detection, with the exploit code containing version-specific adjustments:
The publicly released exploit represents a significant escalation in threat actor capabilities, featuring a reusable deserialization gadget that extends beyond the original vulnerability scope.
Security researchers express particular concern over the gadget’s potential application to recently patched deserialization vulnerabilities, including CVE-2025-30012, CVE-2025-42980, CVE-2025-42966, CVE-2025-42963, and CVE-2025-42964.
This cross-vulnerability compatibility suggests threat actors possess comprehensive knowledge of SAP’s underlying architecture and serialization mechanisms.
| CVE ID | Title | CVSS 3.1 Score | Severity |
| CVE-2025-31324 | SAP NetWeaver Visual Composer Authentication Bypass | 10.0 | Critical |
| CVE-2025-42999 | SAP NetWeaver Visual Composer Deserialization Vulnerability | 9.1 | Critical |
Mitigations
Organizations must immediately apply SAP Security Notes 3594142 and 3604119 to address the exploited vulnerabilities.
Additional critical patches include Security Notes 3578900, 3620498, 3610892, 3621771, and 3621236 for related deserialization flaws.
Security teams should implement comprehensive monitoring for POST, GET, and HEAD requests targeting SAP Visual Composer components while restricting internet-facing SAP application access.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
