A weaponized exploit targeting the critical SAP vulnerability CVE-2025-31324 has been publicly released, raising immediate concerns for organizations running unpatched SAP systems.
The exploit, published on August 15, 2025, by VX Underground via X (formerly Twitter), was allegedly distributed by the threat group “Scattered LAPSUS$ Hunters – ShinyHunters” through a Telegram channel.
Vulnerability Analysis and Technical Details
CVE-2025-31324, affecting SAP NetWeaver Visual Composer, carries the maximum CVSS severity score of 10.0, enabling unauthenticated attackers to achieve complete system compromise.
The exploit chains this vulnerability with CVE-2025-42999, a deserialization flaw discovered by Onapsis Research Labs through their Global SAP Threat Intelligence Network.
The attack vector operates through a sophisticated two-stage exploitation process: attackers first leverage the missing authentication vulnerability (CVE-2025-31324) to bypass security controls, then exploit the deserialization flaw (CVE-2025-42999) to execute malicious payloads with SAP administrator privileges.
This combination enables remote code execution (RCE) and facilitates “living off the land” techniques, allowing attackers to execute operating system commands without deploying persistent artifacts.
Deserialization Gadget Concerns
The published exploit demonstrates threat actors’ deep knowledge of SAP architecture, utilizing specific custom SAP classes, including com.sap.sdo.api.* and com.sap.sdo.impl.* as fundamental components of the deserialization gadget.
The exploit dynamically adjusts payloads based on SAP NetWeaver versions, indicating a sophisticated understanding of version-specific implementation differences.
Security researchers express particular concern regarding the reusability of this deserialization gadget across other SAP components, potentially enabling exploitation of additional vulnerabilities discovered in July 2025.
Related Vulnerabilities and Security Notes
The following table summarizes the critical SAP vulnerabilities requiring immediate attention:
| CVE ID | CVSS Score | SAP Security Note | Vulnerability Type | Patch Status |
|---|---|---|---|---|
| CVE-2025-31324 | 10.0 | 3594142 | Authentication Bypass | Patched April 2025 |
| CVE-2025-42999 | 9.1 | 3604119 | Deserialization | Patched May 2025 |
| CVE-2025-30012 | 10.0 | 3578900 | Deserialization | Patched July 2025 |
| CVE-2025-42980 | 9.1 | 3620498 | Deserialization | Patched July 2025 |
| CVE-2025-42966 | 9.1 | 3610892 | Deserialization | Patched July 2025 |
Immediate Response Requirements
Organizations must immediately apply all available SAP security patches, particularly Security Notes 3594142 and 3604119.
Additional mitigation strategies include restricting internet access to SAP applications and implementing comprehensive monitoring for indicators of compromise, including unexpected file uploads and unusual process execution.
The publication of this exploit code typically triggers subsequent attack waves, making immediate patch deployment critical for preventing system compromise, data theft, and business disruption.
Organizations utilizing Onapsis platforms benefit from existing comprehensive coverage, while open-source scanners remain available from Onapsis and Mandiant for vulnerability assessment.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The exploit, published on August 15, 2025, by VX Underground via X (formerly Twitter), was allegedly distributed by the threat group "Scattered LAPSUS$ Hunters – ShinyHunters" through a Telegram channel.){kind=link}