Urgent Security Alert: Weaponized Exploit for SAP Vulnerability CVE-2025-31324
A newly weaponized exploit targeting the critical SAP vulnerability CVE-2025-31324 has been publicly released, raising immediate concerns for organizations running unpatched SAP systems. This exploit, published on August 15, 2025, by VX Underground via X (formerly Twitter), was allegedly distributed by the threat group known as “Scattered LAPSUS$ Hunters – ShinyHunters” through a Telegram channel.
Vulnerability Analysis and Technical Details
CVE-2025-31324 affects SAP NetWeaver Visual Composer and carries the maximum CVSS severity score of 10.0. This vulnerability allows unauthenticated attackers to achieve complete system compromise, making it particularly dangerous for organizations that have not yet applied the necessary patches.
The exploit chains this vulnerability with CVE-2025-42999, a deserialization flaw discovered by Onapsis Research Labs through their Global SAP Threat Intelligence Network. The attack vector operates through a sophisticated two-stage exploitation process: attackers first leverage the missing authentication vulnerability (CVE-2025-31324) to bypass security controls, then exploit the deserialization flaw (CVE-2025-42999) to execute malicious payloads with SAP administrator privileges.
This combination enables remote code execution (RCE) and facilitates “living off the land” techniques, allowing attackers to execute operating system commands without deploying persistent artifacts, thereby evading detection.
Deserialization Gadget Concerns
The published exploit demonstrates threat actors’ deep knowledge of SAP architecture, utilizing specific custom SAP classes, including com.sap.sdo.api. and com.sap.sdo.impl. as fundamental components of the deserialization gadget. The exploit dynamically adjusts payloads based on SAP NetWeaver versions, indicating a sophisticated understanding of version-specific implementation differences.
Security researchers express particular concern regarding the reusability of this deserialization gadget across other SAP components, potentially enabling exploitation of additional vulnerabilities discovered in July 2025.
Summary of Critical SAP Vulnerabilities
The following table summarizes the critical SAP vulnerabilities requiring immediate attention:
| CVE ID | CVSS Score | SAP Security Note | Vulnerability Type | Patch Status |
|---|---|---|---|---|
| CVE-2025-31324 | 10.0 | 3594142 | Authentication Bypass | Patched April 2025 |
| CVE-2025-42999 | 9.1 | 3604119 | Deserialization | Patched May 2025 |
| CVE-2025-30012 | 10.0 | 3578900 | Deserialization | Patched July 2025 |
| CVE-2025-42980 | 9.1 | 3602498 | Deserialization | Patched July 2025 |
| CVE-2025-42966 | 9.1 | 3601892 | Deserialization | Patched July 2025 |
Organizations must immediately apply all available SAP security patches, particularly Security Notes 3594142 and 3604119.
Mitigation Strategies
In addition to patching, organizations should consider implementing additional mitigation strategies, such as:
- Restricting Internet Access: Limit internet access to SAP applications to reduce exposure to potential attacks.
- Comprehensive Monitoring: Implement monitoring for indicators of compromise, including unexpected file uploads and unusual process execution.
The publication of this exploit code typically triggers subsequent attack waves, making immediate patch deployment critical for preventing system compromise, data theft, and business disruption.
Organizations utilizing Onapsis platforms benefit from existing comprehensive coverage, while open-source scanners remain available from Onapsis and Mandiant for vulnerability assessment.
Conclusion
The emergence of the exploit for CVE-2025-31324 serves as a stark reminder of the importance of timely patch management and proactive security measures. Organizations must act swiftly to safeguard their SAP environments from potential threats.
For ongoing updates and insights into cybersecurity, follow us on LinkedIn and X.