New Exploit for Critical SAP Vulnerability CVE-2025-31324 Released in the Wild
TL;DR:
- An exploit targeting CVE-2025-31324 and CVE-2025-42999 was published on August 15, 2025 by VX Underground.
- This exploit was allegedly released by “Scattered LAPSUS$ Hunters – ShinyHunters” on a Telegram group.
- All of these vulnerabilities were already promptly patched by SAP in April and May; it is critical that organizations are up-to-date with patching their SAP systems to prevent future exploitation attempts.
- The exploit could be reused in other contexts where deserialization vulnerabilities in SAP components exist.
- Onapsis customers have existing, comprehensive in-product coverage for these vulnerabilities.
- Open-source scanners are available from Onapsis and Mandiant to analyze SAP environments and identify known indicators of compromise for CVE-2025-31324 and CVE-2025-42999.
Today on X (formerly Twitter), VX Underground published1 a working and weaponized exploit for the critical SAP vulnerability, CVE-2025-31324. This exploit was allegedly released by “Scattered LAPSUS$ Hunters – ShinyHunters” on a Telegram group. This vulnerability has been recently exploited as a zero-day by multiple sophisticated threat actor groups and later patched by SAP in Security Note 3594142 for CVE-2025-31324 and Security Note 3604119 for CVE-2025-42999.
It is typical for further waves of attacks to follow when exploit code is published publicly, and SAP customers should be highly vigilant and ensure both their security practices and patches are up-to-date.
The Initial Threat: CVE-2025-31324
Tracked as CVE-2025-31324 and exploited in combination with CVE-2025-42999, the initial vulnerabilities are a combination of two critical flaws in SAP NetWeaver Visual Composer with a CVSS score of 10.0, the highest possible severity rating. These vulnerabilities allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files. This can lead to remote code execution (RCE) and a complete takeover of the affected system and SAP business data and processes. The vulnerability has been actively exploited in the wild, making it a clear and present danger to organizations with unpatched SAP systems. Onapsis has been publishing all information related to these critical vulnerabilities since April 2025, including open source scanners and indicators of compromise through our blog CVE-2025-31324 SAP Zero-Day Vulnerability | Full Threat Brief.
The Deserialization Gadget
The newly disclosed exploit, highlighted by the cybersecurity community, is not just a simple proof-of-concept for the file upload vulnerability. It cleverly chains CVE-2025-31324 with a deserialization vulnerability now identified as CVE-2025-42999, which was reported to SAP by the Onapsis Research Labs after being detected as actively exploited through our Global SAP Threat Intelligence Network.
This exploit further confirms these vulnerabilities can be used to not only deploy webshells, but also “live off the land” by directly executing operating system commands without the need to deploy any artifacts on the target system. These commands are executed with SAP administrator privileges (adm), resulting in full access to SAP data and system resources.
In essence, the attackers first use the missing authentication vulnerability (CVE-2025-31324) to access the critical functionality without authentication and get their malicious payload to the server. Then, they exploit the de-serialization flaw (CVE-2025-42999) to deserialize the malicious payload and execute that code with the privileges of the SAP system. This one-two punch allows for a devastating attack that can be initiated by an unauthenticated attacker.
The publication of this deserialization gadget is particularly concerning due to the fact that it can be reused in other contexts, such as exploiting the deserialization vulnerabilities that were recently patched by SAP in July, which were discovered and reported by Onapsis (July 2025 SAP Patch Day: Record Patches & Critical Deserialization Vulnerabilities):
- SAP Security Note 3578900 for CVE-2025-30012 (CVSS 10)
- SAP Security Note 3620498 for CVE-2025-42980 (CVSS 9.1)
- SAP Security Note 3610892 for CVE-2025-42966 (CVSS 9.1)
- SAP Security Note 3621771 for CVE-2025-42963 (CVSS 9.1)
- SAP Security Note 3621236 for CVE-2025-42964 (CVSS 9.1)
This potentially opens up new attack vectors in other areas of SAP applications. It’s a powerful tool in an attacker’s arsenal, and its publication in the wild is a significant event. Organizations should ensure these SAP vulnerabilities have been also promptly patched in their environments.
Deep Knowledge of SAP
This recently released exploit proves threat actors have a deep knowledge of SAP applications, evidenced by the use of specific custom SAP classes as key building blocks of the gadget, such as com.sap.sdo.api.* or com.sap.sdo.impl.* or by the adjustment of the payload based on the SAP NetWeaver version:
| elif “local class serialVersionUID = -7308740002576184038″ in response.text: print(“[+] Found version 7.5”) newContent = newContent.replace(b”\xF4\x51\xDC\xAA\x00\xB6\xF0\xCC”, b”\x9A\x92\x23\xB0\xE6\xC2\x4D\x1A”) |
What You Need to Do Today
IMPORTANT NOTE: This is not a new SAP vulnerability but rather a new (and public) exploit for a known issue. If you have already evaluated this issue (reviewing indicators of compromise) and applied SAP Security Note 3594142 and Security Note 3604119, you are not vulnerable to attacks with this new exploit. In that case, no immediate action is required, but we strongly recommend reviewing the steps below as well as the other related vulnerabilities and security notes.
The prior active exploitation by original sophisticated threat actors, combined with the now publicly available exploit and deserialization gadget, makes it imperative for vulnerable organizations to take immediate action. The potential consequences of a successful exploitation are severe and can include:
- Complete system compromise
- Theft of sensitive corporate and customer data
- Disruption of critical business operations
- Financial, reputational and regulatory impact
To mitigate this threat, organizations should:
- Apply the latest security patches from SAP. Specifically, address the vulnerabilities covered in the following SAP Security Notes:
a. 3594142 (for CVE-2025-31324) (CVSS 10)
b. 3604119 (for CVE-2025-42999) (CVSS 9.1)
c. 3578900 (for CVE-2025-30012) (CVSS 10)
d. 3620498 (for CVE-2025-42980) (CVSS 9.1)
e. 3610892 (for CVE-2025-42966) (CVSS 9.1)
f. 3621771 (for CVE-2025-42963) (CVSS 9.1)
g. 3621236 (for CVE-2025-42964) (CVSS 9.1) - Review and restrict access to SAP applications, especially from the Internet.
- Monitor SAP applications for any signs of compromise, such as unexpected file uploads or unusual processes.
The disclosure of this new exploit is a stark reminder of the constantly evolving threat landscape. It highlights the importance of a proactive and vigilant security posture, especially around business-critical applications such as SAP.
Onapsis Product Coverage
Onapsis has published comprehensive support in Assess and Defend for ALL of the aforementioned vulnerabilities noted above. For the original vulnerability (CVE-2025-31324) exploited in the attack campaign and patched on April 24, 2025, the Onapsis Platform was updated within hours of the attack being reported. This support included the ability to identify vulnerable systems, the ability to monitor for attempts to abuse a still-vulnerable system, and a Threat Intel Center article to provide a central location with all information and data related to this evolving threat. The Onapsis product support for the original attacks and security notes does provide correct coverage for the newly released exploit discussed in this blog.
Onapsis customers can run assessment scans against their entire landscape to identify systems with the vulnerable components installed and unpatched, including those where no SAP workaround has been applied by your teams. Ongoing automatic scanning can track your progress addressing the vulnerable systems and removing the risk of compromise in your environment. Additional Assess modules check Java systems for IoCs related to the vulnerabilities.
Onapsis Defend customers can automatically monitor interactions with the vulnerable component and alert if POST, GET, and HEAD requests are made to a vulnerable SAP Visual Composer component. An additional Defend rule can alert on access to known webshells in your SAP environment.
Onapsis, in collaboration with Mandiant, has also published open-source scanners for CVE-2025-31324 and CVE-2025-42999. You can find more information and download the scanners from the Onapsis GitHub page.
For complete details on our full product coverage as well as a deeper dive into the attack campaign targeting CVE-2025-31324 and CVE-2025-42999, please review our prior blogpost.
Staying Informed About SAP Zero-Days & Recent CVEs
The SAP Zero-Day Wake-Up Call: What CISOs and CIOs Need to Know
Date: September 10 – 10:00 AM ET.
If you are interested in learning more about what this slew of zero-days and CVEs truly means for organizations, join a panel discussion with security executives from Mandiant (Charles Carmakal, CTO), EclecticIQ (Cody Barrow, CEO), NightDragon (Dave DeWalt, CEO) and Onapsis (Mariano Nunez, CEO) hosted on September 10.
Register
