Listen to this Post
Introduction
A dangerous new exploit has surfaced, chaining together two critical vulnerabilities in SAP NetWeaver to deliver remote code execution and complete system takeover. Although SAP patched the flaws earlier in 2025, attackers had already been abusing them in stealth for months. This incident highlights how enterprise software, especially in high-value systems like SAP, continues to be a prime target for ransomware gangs and espionage groups worldwide.
The Full Story of the Exploit
Cybersecurity firm Onapsis revealed that hackers have successfully combined CVE-2025-31324 (CVSS 10.0) and CVE-2025-42999 (CVSS 9.1) into a powerful exploit.
CVE-2025-31324: Missing Authorization check in SAP NetWeaver’s Visual Composer development server, allowing attackers to bypass authentication.
CVE-2025-42999: Insecure Deserialization in the same component, enabling attackers to unpack and execute malicious payloads with administrator privileges.
SAP patched both flaws in April and May 2025, but they had already been exploited since at least March, making them effective zero-days at the time.
Threat groups including Qilin, BianLian, and RansomExx have actively leveraged the exploit for ransomware and extortion campaigns. Espionage actors with links to China have also adopted the technique to infiltrate critical infrastructure networks.
The exploit chain works in two stages:
- CVE-2025-31324 bypasses authentication to let attackers upload malicious files.
- CVE-2025-42999 executes those files, granting remote code execution with elevated SAP administrator rights.
This grants attackers full control over the system, allowing them to:
Deploy web shells for persistent backdoors.
Perform Living-off-the-Land (LotL) attacks by executing OS commands without dropping additional malware.
Access and manipulate SAP business data and processes at will.
Researchers are especially worried because the deserialization gadget used in CVE-2025-42999 could also be applied to other newly patched flaws like:
CVE-2025-30012 (CVSS 10.0)
CVE-2025-42963, 42964, 42966, and 42980 (all CVSS 9.1)
Adding to the drama, the exploit was leaked online by a new group calling itself Scattered Lapsus\$ Hunters—a joint alliance of Scattered Spider and ShinyHunters, notorious names in the cyber underground.
Onapsis warns that the sophistication of these attackers indicates deep knowledge of SAP applications, urging all SAP users to:
Apply the latest patches immediately.
Restrict internet access to SAP systems.
Monitor for suspicious activity and potential compromise.
What Undercode Say:
This exploit chain is a wake-up call for enterprises. SAP is not just another software—it’s the backbone of financial, operational, and logistical processes in major corporations and government institutions. A compromise here doesn’t just mean leaked data; it means full business disruption.
From an attacker’s perspective, this exploit is a goldmine. It:
Offers unauthenticated remote access.
Provides persistence without detection via LotL tactics.
Delivers RCE with admin rights.
The alliance of Scattered Spider and ShinyHunters signals a troubling trend: cybercrime groups are no longer just competing but forming fluid, temporary alliances to maximize damage. This model mirrors ransomware-as-a-service (RaaS) ecosystems but with even more unpredictability.
Ransomware groups like BianLian and RansomExx are already monetizing the exploit, but the involvement of China-linked espionage crews hints at geopolitical motives beyond profit. Attacks against critical infrastructure suggest nation-state backing or influence.
Technically, the biggest concern lies in the reuse potential of the deserialization exploit. If adversaries recycle this technique across multiple SAP flaws, defenders could face an onslaught of copycat attacks in the coming months.
Another analytical angle: SAP environments are often under-patched due to business downtime concerns. That reality gives attackers a bigger window of opportunity, especially when exploits leak publicly. Many organizations prioritize uptime over security, ironically making them prime targets.
The exploit also illustrates a broader cyber trend:
LotL attacks are gaining popularity because they leave fewer forensic traces.
Attackers increasingly target enterprise middleware platforms like SAP and Oracle, as they are less monitored compared to endpoints.
The line between cybercrime and cyber-espionage continues to blur, with ransomware groups and state-backed actors using the same tools.
In the long run, the publication of this exploit may lead to:
Automated exploit kits targeting SAP servers.
Wider ransomware adoption, since gangs prefer proven, high-impact exploits.
Supply chain risk, as compromised SAP systems could infect connected third-party ecosystems.
Organizations must treat this not as just another patch cycle but as a strategic cyber defense priority. Proactive monitoring, segmentation of SAP systems, and controlled internet exposure are essential. Failure to act could mean catastrophic business impact.
✅ Fact Checker Results
SAP confirmed both vulnerabilities and issued patches in April–May 2025.
Onapsis verified real-world exploitation since March.
Multiple ransomware and espionage groups are actively weaponizing the exploit.
🔮 Prediction
The leaked exploit will fuel a wave of mass attacks in the coming months, with ransomware gangs automating deployment across exposed SAP servers. Espionage actors will continue refining the technique for stealthier campaigns, while opportunistic criminals will repurpose the deserialization gadget for new exploits. Unless enterprises act quickly, 2025 could see the largest wave of SAP-targeted breaches in history.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
