Overview

• Onapsis verified that the publicly released tool chains CVE-2025-31324 with CVE-2025-42999 to bypass authentication and execute system commands with SAP administrator privileges.
• Vx-Underground reported the release by “Scattered Lapsus$ Hunters,” a fluid alliance tying Scattered Spider to ShinyHunters, after the code surfaced on Telegram.
• Researchers said the published deserialization gadget could be repurposed against additional SAP bugs patched in July, widening possible attack vectors.
• Shadowserver observed more than 50 internet-facing NetWeaver servers still vulnerable to CVE-2025-31324 as of August 18, underscoring ongoing exposure.
• SAP addressed the two flaws in April and May, and defenders are urged to apply Security Notes 3594142 and 3604119, restrict the /developmentserver/metadatauploader endpoint, and hunt for web shells or living-off-the-land activity.