In a significant escalation of cyber threats, the notorious hacking group Scattered LAPSUS$ Hunters – ShinyHunters has publicly released a working exploit targeting critical vulnerabilities in SAP NetWeaver Visual Composer. This development poses a severe risk to organizations utilizing unpatched SAP systems, as it enables unauthenticated attackers to achieve complete system takeover and execute remote code.
Understanding the Vulnerabilities
The exploit leverages two critical vulnerabilities:
1. CVE-2025-31324: This vulnerability allows unauthenticated access to SAP NetWeaver’s Visual Composer, enabling attackers to upload malicious files without requiring credentials.
2. CVE-2025-42999: This flaw involves insecure deserialization processes within the same component, allowing attackers to execute arbitrary code on the affected system.
Both vulnerabilities have been assigned high severity scores, with CVE-2025-31324 rated at 10.0 and CVE-2025-42999 at 9.1 on the CVSS scale.
The Exploit’s Mechanism
The exploit combines these vulnerabilities to bypass authentication mechanisms and execute arbitrary operating system commands with SAP administrator privileges. This method effectively circumvents traditional security controls, granting attackers unrestricted access to sensitive business data and processes.
The technical sophistication of the exploit is evident in its use of specific SAP classes, such as `com.sap.sdo.api.` and `com.sap.sdo.impl.`, within its framework. Additionally, the payload dynamically adapts based on the detected SAP NetWeaver version, indicating a deep understanding of SAP’s architecture.
Public Release and Its Implications
The public dissemination of this exploit by ShinyHunters significantly amplifies the threat landscape. Security researchers express particular concern over the exploit’s reusable deserialization gadget, which extends beyond the original vulnerabilities. This gadget could potentially be applied to other recently patched deserialization vulnerabilities, including CVE-2025-30012, CVE-2025-42980, CVE-2025-42966, CVE-2025-42963, and CVE-2025-42964. This cross-vulnerability compatibility suggests that threat actors possess comprehensive knowledge of SAP’s underlying architecture and serialization mechanisms.
Mitigation Strategies
Organizations are urged to take immediate action to mitigate these threats:
1. Apply Security Patches: Implement SAP Security Notes 3594142 and 3604119 to address the exploited vulnerabilities.
2. Address Related Flaws: Apply additional critical patches, including Security Notes 3578900, 3620498, 3610892, 3621771, and 3621236, to mitigate related deserialization vulnerabilities.
3. Monitor Network Traffic: Implement comprehensive monitoring for POST, GET, and HEAD requests targeting SAP Visual Composer components.
4. Restrict Access: Limit internet-facing access to SAP applications to reduce exposure to potential attacks.
Conclusion
The public release of this exploit underscores the critical importance of maintaining up-to-date security measures and promptly applying patches. Organizations utilizing SAP NetWeaver must act swiftly to protect their systems from potential compromise.
