A sophisticated exploit targeting critical SAP vulnerabilities has been publicly released by the notorious hacking group ShinyHunters, significantly escalating the threat landscape for enterprise SAP environments.
The exploit, which chains together multiple zero-day vulnerabilities, was allegedly leaked through the “Scattered LAPSUS$ Hunters – ShinyHunters” group on Telegram and subsequently published by VX Underground on August 15, 2025.
The Exploit Details
The weaponized exploit primarily targets CVE-2025-31324, a critical vulnerability in SAP NetWeaver Visual Composer with a maximum CVSS score of 10.0.
This flaw allows unauthenticated attackers to execute arbitrary commands on target SAP systems, potentially leading to complete system compromise.
| CVE ID | CVSS Score | Component | Patch Status | SAP Security Note |
| CVE-2025-31324 | 10.0 | SAP NetWeaver Visual Composer | Patched April 2025 | 3594142 |
The exploit cleverly chains this vulnerability with CVE-2025-42999, a deserialization vulnerability that enables “live off the land” attacks without deploying artifacts on target systems.
The attack vector demonstrates sophisticated knowledge of SAP architecture, utilizing specific custom SAP classes such as com.sap.sdo.api.* and com.sap.sdo.impl.* as building blocks for the exploit payload.
The code even adjusts dynamically based on SAP NetWeaver versions, showing the attackers’ deep understanding of the platform’s internals.
Security researchers from Onapsis, who originally discovered and reported several of these vulnerabilities, emphasize that while these are not new vulnerabilities, the public availability of working exploit code significantly increases the risk of widespread attacks.
The exploit’s deserialization gadget component is particularly concerning as it can potentially be reused against other SAP vulnerabilities discovered in July 2025.
Organizations running SAP systems are strongly advised to immediately verify patch deployment for all listed security notes and implement additional monitoring for suspicious activities.
The exploit’s sophistication and the involvement of known threat actors like ShinyHunters underscore the critical importance of maintaining up-to-date SAP security patches and implementing comprehensive monitoring solutions.
The publication of this exploit represents a significant escalation in the threat landscape for SAP environments, with security experts predicting increased exploitation attempts following the code’s public availability.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
