On August 15, 2025, the cybersecurity landscape shifted as threat group ShinyHunters publicly released a weaponized exploit targeting critical SAP NetWeaver vulnerabilities through malware repository VX Underground. The exploit chains two vulnerabilities, CVE-2025-31324 and CVE-2025-42999, to achieve unauthenticated remote code execution on SAP systems, which form the backbone of financial operations for thousands of enterprises worldwide including many handling cryptocurrency and digital asset transactions.
The Threat Landscape
The released exploit specifically targets SAP NetWeaver Visual Composer, exploiting a missing authentication flaw tracked as CVE-2025-31324, which carries a maximum CVSS severity score of 10.0. This vulnerability allows an unauthenticated attacker to upload arbitrary files to the SAP server. When chained with CVE-2025-42999, a deserialization vulnerability discovered by Onapsis Research Labs, attackers can execute operating system commands with SAP administrator privileges without deploying any files on the target system.
The ShinyHunters group, which operates through a Telegram channel branded as “Scattered LAPSUS$ Hunters,” has demonstrated deep knowledge of SAP application architecture. Security researchers note that the exploit uses custom SAP classes such as com.sap.sdo.api.* as key building blocks and adjusts payloads based on the specific SAP NetWeaver version running on the target system.
Core Principles
Enterprise security in the cryptocurrency era requires defense in depth. SAP systems processing blockchain transactions, managing digital asset custody, or integrating with cryptocurrency exchanges represent high-value targets. The core principle is that perimeter security alone is insufficient when critical vulnerabilities exist in application layers.
Both CVE-2025-31324 and CVE-2025-42999 were already patched by SAP in April and May 2025 through Security Notes 3594142 and 3604119 respectively. However, the public release of a weaponized exploit dramatically lowers the barrier to entry for less sophisticated threat actors, meaning unpatched systems face imminent risk. Organizations running crypto-adjacent SAP implementations should prioritize applying these patches immediately.
Tooling and Setup
Onapsis and Mandiant have released open-source scanners on GitHub that allow organizations to assess their SAP environments for indicators of compromise related to these vulnerabilities. Running these scanners should be the first step in any response protocol. The scanner checks for known IOCs including web shell artifacts, unauthorized file uploads, and suspicious deserialization patterns.
Additional security measures include implementing network segmentation to restrict access to SAP NetWeaver Visual Composer endpoints, deploying web application firewalls with rules tuned to detect exploitation attempts, and enabling comprehensive logging on all SAP-facing systems. For cryptocurrency businesses, this means ensuring that SAP systems handling financial reporting or compliance data are isolated from internet-facing components.
Ongoing Vigilance
The publication of this exploit also raises concerns about related deserialization vulnerabilities patched by SAP in July 2025, including CVE-2025-30012, CVE-2025-42980, CVE-2025-42966, CVE-2025-42963, and CVE-2025-42964. The deserialization gadget published in the ShinyHunters exploit can potentially be reused against these vulnerabilities, creating a broader attack surface than initially anticipated.
Organizations should establish a continuous vulnerability management program for SAP systems, subscribe to SAP Security Note notifications, and maintain an asset inventory that maps all SAP components exposed to external networks. With Bitcoin trading above $117,000 and the crypto industry managing trillions in assets, the financial motivation for attacking enterprise systems connected to digital asset flows has never been higher.
Final Takeaway
The ShinyHunters SAP exploit release represents a watershed moment in enterprise security. The combination of publicly available weaponized code and the financial incentives presented by the cryptocurrency ecosystem means that unpatched SAP systems are no longer just a compliance risk but an active target. Apply patches, run scanners, segment networks, and monitor continuously. The tools are available; the urgency is real.
Disclaimer: This article is for informational purposes only and does not constitute security advice. Consult with qualified cybersecurity professionals for specific guidance on your organization’s security posture.
Bridge security is still the weakest link in the ecosystem
Katya Ivanova bridge security is weak but enterprise ERP systems are weaker. SAP runs 77% of global business transactions. a zero-day there makes every bridge hack look like a parking ticket
The amount of DeFi exploits is still way too high
a CVSS 10.0 vulnerability on SAP NetWeaver. that is the maximum severity score. this isnt a theoretical risk its a loaded gun aimed at enterprise financial systems
cvss_10_ and both CVEs were already patched in April and May. the exploit publication is dangerous because patching cycles in enterprise SAP run 6-12 months
Multi-sig wallets should be the default for everyone in crypto
The cost of a security breach always exceeds the cost of prevention
CVSS 10.0 with missing authentication on NetWeaver Visual Composer. SAP systems running critical financial ops for Fortune 500 companies and nobody patched this for months
ShinyHunters publishing on VX Underground instead of selling to brokers means the exploit was already burned. zero day value drops to zero once its public