Key Takeaways1. ShinyHunters publicly launched exploits for essential SAP vulnerabilities.2. Unauthenticated attackers can obtain full system takeover and distant code execution.3. Instantly apply SAP Safety Notes 3594142 and 3604119.
A working exploit focusing on essential SAP vulnerabilities CVE-2025-31324 and CVE-2025-42999 has been publicly launched by the infamous cybercriminal group “Scattered LAPSUS$ Hunters – ShinyHunters” by way of Telegram channels, with VX Underground subsequently publishing the weaponized code on the social media platform X.
The exploit chains two extreme vulnerabilities in SAP NetWeaver Visible Composer, carrying most CVSS scores of 10.0, enabling unauthenticated attackers to realize full system compromise and distant code execution capabilities.
Safety researchers warn that the general public launch considerably escalates the menace panorama for organizations working unpatched SAP techniques, notably given the delicate nature of the exploit and its potential for widespread deployment.
SAP NetWeaver Exploitation
Onapsis studies that the exploit leverages a devastating mixture of authentication bypass and deserialization flaws inside SAP NetWeaver Visible Composer infrastructure.
CVE-2025-31324 capabilities because the preliminary assault vector, permitting unauthenticated entry to essential system performance, whereas CVE-2025-42999 serves because the payload supply mechanism via unsafe deserialization processes.
This dual-vulnerability strategy permits attackers to execute arbitrary working system instructions with SAP administrator (adm) privileges, successfully bypassing conventional safety controls and gaining unrestricted entry to delicate enterprise information and processes.
The technical implementation demonstrates a complicated understanding of SAP structure, using particular lessons reminiscent of com.sap.sdo.api.* and com.sap.sdo.impl.* throughout the exploit framework.
The malicious payload dynamically adapts primarily based on SAP NetWeaver model detection, with the exploit code containing version-specific changes:
The publicly launched exploit represents a major escalation in menace actor capabilities, that includes a reusable deserialization gadget that extends past the unique vulnerability scope.
Safety researchers categorical explicit concern over the gadget’s potential utility to lately patched deserialization vulnerabilities, together with CVE-2025-30012, CVE-2025-42980, CVE-2025-42966, CVE-2025-42963, and CVE-2025-42964.
This cross-vulnerability compatibility suggests menace actors possess complete data of SAP’s underlying structure and serialization mechanisms.
CVE IDTitleCVSS 3.1 ScoreSeverityCVE-2025-31324SAP NetWeaver Visible Composer Authentication Bypass10.0CriticalCVE-2025-42999SAP NetWeaver Visible Composer Deserialization Vulnerability9.1Critical
Mitigations
Organizations should instantly apply SAP Safety Notes 3594142 and 3604119 to handle the exploited vulnerabilities.
Extra essential patches embody Safety Notes 3578900, 3620498, 3610892, 3621771, and 3621236 for associated deserialization flaws.
Safety groups ought to implement complete monitoring for POST, GET, and HEAD requests focusing on SAP Visible Composer elements whereas proscribing internet-facing SAP utility entry.
Safely detonate suspicious recordsdata to uncover threats, enrich your investigations, and reduce incident response time. Begin with an ANYRUN sandbox trial →
