The cybercriminal group ShinyHunters publicly released a weaponized exploit targeting critical SAP NetWeaver Visual Composer vulnerabilities (CVE-2025-31324 & CVE-2025-42999), enabling unauthenticated attackers to achieve full system takeover, remote code execution, and SAP administrator (adm) privilege escalation. The exploit chains an authentication bypass and a deserialization flaw, allowing arbitrary OS command execution, unrestricted access to sensitive business data, and potential lateral movement across enterprise systems. The exploit’s reusable deserialization gadget extends its threat scope to other recently patched SAP vulnerabilities (e.g., CVE-2025-30012, CVE-2025-42980), indicating advanced adversary knowledge of SAP’s architecture. Organizations failing to apply SAP Security Notes 3594142 and 3604119 risk complete compromise of ERP systems, including financial data, intellectual property (patents), customer records, and operational processes. The exploit’s public availability on Telegram and X (Twitter) amplifies the risk of widespread automated attacks, with potential cascading effects on supply chains, regulatory compliance (e.g., GDPR), and business continuity. The attack vector’s CVSS 10.0 severity underscores its capacity to disrupt core business functions, trigger ransomware deployments, or facilitate data exfiltration for espionage or financial fraud. Immediate patching and network segmentation are critical to mitigate exposure.
Source: https://cybersecuritynews.com/exploit-for-sap-0-day-vulnerability/
TPRM report: https://www.rankiteo.com/company/sap-americas
"id": "sap603081925",
"linkid": "sap-americas",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Organizations running unpatched '
'SAP NetWeaver Visual Composer '
'(Exact number unknown)',
'industry': 'Technology/ERP Software',
'location': 'Walldorf, Germany (HQ)',
'name': 'SAP SE',
'size': 'Global (100,000+ Employees)',
'type': 'Enterprise Software Provider'},
{'industry': 'Multiple (Enterprise-Level Organizations)',
'location': 'Global',
'type': 'SAP Customers'}],
'attack_vector': ['Publicly Released Exploit (Telegram/X)',
'Authentication Bypass (CVE-2025-31324)',
'Unsafe Deserialization (CVE-2025-42999)',
'POST/GET/HEAD Requests to SAP Visual Composer'],
'customer_advisories': ['SAP Security Advisory (Urgent Patch Recommendation)',
'Onapsis Alert on Exploit Public Release'],
'description': "The cybercriminal group 'Scattered LAPSUS$ Hunters – "
"ShinyHunters' publicly released a working exploit targeting "
'critical SAP vulnerabilities (CVE-2025-31324 and '
'CVE-2025-42999) via Telegram. The exploit chains an '
'authentication bypass (CVE-2025-31324, CVSS 10.0) and a '
'deserialization flaw (CVE-2025-42999, CVSS 9.1) in SAP '
'NetWeaver Visual Composer, enabling unauthenticated attackers '
'to achieve complete system compromise and remote code '
'execution with SAP administrator (adm) privileges. The '
'exploit is highly sophisticated, dynamically adapting to SAP '
'NetWeaver versions and leveraging reusable deserialization '
'gadgets that may extend to other recently patched '
'vulnerabilities (e.g., CVE-2025-30012, CVE-2025-42980). '
'Security researchers warn of escalated threats to unpatched '
'SAP systems, urging immediate application of SAP Security '
'Notes 3594142 and 3604119, alongside additional patches '
'(3578900, 3620498, 3610892, 3621771, 3621236). Mitigations '
'include monitoring for suspicious requests to SAP Visual '
'Composer components and restricting internet-facing access.',
'impact': {'brand_reputation_impact': ['Loss of Trust in SAP Security '
'(Potential)',
'Reputational Damage for Affected '
'Organizations'],
'data_compromised': ['Sensitive Business Data (Potential)',
'Administrative Credentials (Potential)'],
'operational_impact': ['Complete System Compromise (Potential)',
'Unauthorized Remote Code Execution',
'Bypass of Traditional Security Controls'],
'systems_affected': ['SAP NetWeaver Visual Composer',
'SAP Administrator (adm) Privileged Systems']},
'initial_access_broker': {'entry_point': ['SAP NetWeaver Visual Composer '
'(Authentication Bypass via '
'CVE-2025-31324)',
'Deserialization Flaw '
'(CVE-2025-42999) for Payload '
'Delivery'],
'high_value_targets': ['SAP Administrator (adm) '
'Privileges',
'Sensitive Business Data',
'Enterprise Resource '
'Planning (ERP) Systems']},
'investigation_status': 'Ongoing (Likely)',
'lessons_learned': ['Criticality of timely patching for enterprise software '
'like SAP NetWeaver.',
'Risks of public exploit releases by sophisticated threat '
'actors.',
'Need for proactive monitoring of SAP components for '
'suspicious activity.',
'Cross-vulnerability compatibility of exploits highlights '
'the importance of comprehensive patch management.'],
'motivation': ['Financial Gain (Potential)',
'Notoriety',
'Disruption of Enterprise Systems',
'Data Theft/Exfiltration (Likely)'],
'post_incident_analysis': {'corrective_actions': ['Enforce strict patch '
'management policies for '
'SAP systems.',
'Implement zero-trust '
'architecture for SAP '
'environments.',
'Develop and test incident '
'response plans specific to '
'SAP exploits.',
'Collaborate with SAP and '
'security vendors (e.g., '
'Onapsis) for threat '
'intelligence sharing.'],
'root_causes': ['Unpatched SAP NetWeaver Visual '
'Composer vulnerabilities '
'(CVE-2025-31324, CVE-2025-42999).',
'Lack of timely patch management '
'for critical enterprise software.',
'Public availability of weaponized '
'exploit code escalating threat '
'landscape.',
'Reusable deserialization gadgets '
'extending beyond original '
'vulnerability scope.']},
'recommendations': ['Immediately apply SAP Security Notes 3594142 and '
'3604119, along with related patches (3578900, 3620498, '
'3610892, 3621771, 3621236).',
'Implement network segmentation to isolate SAP systems '
'from untrusted networks.',
'Deploy adaptive behavioral WAF rules to detect and block '
'exploit attempts targeting SAP Visual Composer.',
'Restrict internet-facing access to SAP applications and '
'enforce multi-factor authentication (MFA).',
'Conduct regular vulnerability assessments and '
'penetration testing for SAP environments.',
'Monitor dark web and threat intelligence feeds for signs '
'of exploit adoption by other threat actors.',
'Educate IT and security teams on the technical details '
'of the exploit (e.g., com.sap.sdo.api.* and '
'com.sap.sdo.impl.* classes) to improve detection '
'capabilities.'],
'references': [{'source': 'Onapsis Research'},
{'source': 'VX Underground (Exploit Publication on X)'},
{'source': 'ShinyHunters (Telegram Channel)'},
{'source': 'SAP Security Notes 3594142 and 3604119',
'url': 'https://me.sap.com/notes'}],
'response': {'containment_measures': ['Apply SAP Security Notes 3594142 and '
'3604119 immediately',
'Patch related deserialization flaws '
'(Notes 3578900, 3620498, 3610892, '
'3621771, 3621236)',
'Restrict internet-facing SAP '
'application access'],
'enhanced_monitoring': ['SAP Visual Composer component traffic',
'Unauthorized access attempts'],
'remediation_measures': ['Monitor for POST, GET, and HEAD '
'requests targeting SAP Visual Composer '
'components',
'Update to latest SAP NetWeaver '
'versions'],
'third_party_assistance': ['Onapsis (Security '
'Research/Advisory)']},
'threat_actor': [{'aliases': ['Scattered LAPSUS$ Hunters'],
'description': 'Notorious group known for high-profile data '
'breaches and exploit releases. Publicly '
'shared the SAP exploit via Telegram.',
'name': 'ShinyHunters',
'type': 'Cybercriminal Group'},
{'description': 'Published the weaponized exploit code on '
'the social media platform X (formerly '
'Twitter).',
'name': 'VX Underground',
'type': 'Malware/Exploit Repository'}],
'title': 'Public Exploit Release for Critical SAP NetWeaver Vulnerabilities '
'by ShinyHunters',
'type': ['Vulnerability Exploitation',
'Unauthenticated Remote Code Execution (RCE)',
'Authentication Bypass',
'Deserialization Attack'],
'vulnerability_exploited': [{'cve_id': 'CVE-2025-31324',
'cvss_score': 10.0,
'description': 'Allows unauthenticated access to '
'critical system functionality, '
'serving as the initial attack '
'vector.',
'severity': 'Critical',
'title': 'SAP NetWeaver Visual Composer '
'Authentication Bypass'},
{'cve_id': 'CVE-2025-42999',
'cvss_score': 9.1,
'description': 'Enables payload delivery via '
'unsafe deserialization, leading '
'to arbitrary OS command '
'execution with SAP admin '
'privileges.',
'severity': 'Critical',
'title': 'SAP NetWeaver Visual Composer '
'Deserialization Vulnerability'},
{'cve_id': ['CVE-2025-30012',
'CVE-2025-42980',
'CVE-2025-42966',
'CVE-2025-42963',
'CVE-2025-42964'],
'description': 'Potentially compatible with the '
'reusable deserialization gadget '
'in the exploit, indicating '
'broader threat scope.',
'title': 'Related SAP Deserialization '
'Vulnerabilities'}]}