ShinyHunters Hackers Allegedly Release New Exploit for SAP 0-Day Vulnerabilities

Cybersecurity researchers and organizations worldwide were alerted to the public release of a weaponized exploit targeting critical SAP vulnerabilities, marking a significant escalation in threats against enterprise SAP environments.

The exploit, which combines two previously zero-day vulnerabilities in SAP NetWeaver Visual Composer, represents a sophisticated attack chain that could enable widespread compromise of unpatched systems across global organizations.

VX Underground, a prominent cybersecurity research group, published the working exploit on social media platform X, citing its alleged origin from the notorious cybercriminal group “Scattered LAPSUS$ Hunters – ShinyHunters” through a Telegram distribution channel.

This represents a concerning trend where sophisticated exploits transition from private threat actor arsenals to public availability, significantly lowering the barrier for widespread exploitation attempts.

The timing of this release is particularly notable, as it follows the active exploitation of these vulnerabilities as zero-day by multiple sophisticated threat actor groups earlier in 2025.

Security researchers have observed that public disclosure of working exploits typically triggers secondary waves of opportunistic attacks, as less sophisticated threat actors gain access to previously exclusive attack methodologies.

SAP 0-Day Vulnerabilities

The involvement of ShinyHunters, a group with a documented history of high-profile data breaches and ransomware operations, underscores the serious nature of this threat.

The exploit targets two interconnected vulnerabilities: CVE-2025-31324 and CVE-2025-42999, both affecting SAP NetWeaver Visual Composer with maximum CVSS scores of 10.0 and 9.1 respectively.

The attack demonstrates sophisticated understanding of SAP architecture through several key characteristics:

• Custom SAP Class Exploitation: Utilizes specific SAP classes such as com.sap.sdo.api.* and com.sap.sdo.impl.* as fundamental components of the deserialization gadget.
  
• Version-Aware Payload Delivery: Dynamically adjusts payload parameters based on detected SAP NetWeaver versions, indicating deep technical knowledge of SAP internals.
  
• Two-Stage Attack Methodology: First leverages authentication bypass vulnerability (CVE-2025-31324) to access critical system functionality, then exploits deserialization vulnerability (CVE-2025-42999) to execute arbitrary code.
  
• Privilege Escalation: Enables complete system compromise with SAP administrator privileges without deploying traditional malware artifacts.

Particularly concerning is the exploit’s potential for broader application. Security researchers note that this deserialization gadget could be repurposed for other SAP vulnerabilities, creating implications beyond these specific CVEs and potentially opening new attack vectors across different SAP application components.

Mitigations

SAP had already addressed these vulnerabilities through Security Notes 3594142 and 3604119 in April and May 2025, respectively.

However, the public availability of working exploits necessitates immediate verification of patch deployment across enterprise SAP landscapes.

Organizations must prioritize applying these critical security updates while implementing comprehensive monitoring for exploitation attempts.

Security vendor Onapsis has released comprehensive detection and mitigation tools, including open-source scanners developed in collaboration with Mandiant for identifying vulnerable systems and indicators of compromise.

Enterprise security teams should immediately conduct landscape-wide vulnerability assessments and implement network-level monitoring for suspicious activities targeting SAP Visual Composer components.

The incident highlights the critical importance of maintaining current patch levels for business-critical SAP systems and the persistent threat posed by sophisticated cybercriminal organizations with advanced SAP exploitation capabilities.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.