Skip to content

Safe Tuesday with SNOK: Critical SAP exploit in the hands of cybercriminals – how SecurityBridge protects your systems against advanced attacks

When expert knowledge meets a real threat On 15 August 2025, the SAP cybersecurity world held its breath. A hacking group known as "Scattered LAPSUS$…

When expert knowledge meets a real threat

On 15 August 2025, the SAP cybersecurity world held its breath. A hacking group known as “Scattered LAPSUS$ Hunters – ShinyHunters” published a fully functional exploit for a critical SAP vulnerability, CVE-2025-31324. This was not another theoretical proof-of-concept but a genuine cyber weapon that had already been used in a mass zero-day attack campaign. For organisations using SAP systems, this means one thing: the time for immediate action is now.

In this article we look in detail at the nature of this threat, the mechanics of the attack and, most importantly, the effective protection methods offered by the SecurityBridge platform and the experts at SNOK. As an SAP Gold Partner and the official SecurityBridge representative in Poland, SNOK delivers comprehensive SAP security solutions that protect critical business systems against even the most sophisticated attacks.

Anatomy of the threat: CVE-2025-31324 and CVE-2025-42999

Technical background of the vulnerability

CVE-2025-31324, rated at the maximum criticality level of CVSS 10.0, concerns the SAP NetWeaver Visual Composer component. Combined with CVE-2025-42999 (CVSS 9.1), it forms a devastating attack chain that allows unauthenticated attackers to take full control of SAP systems over the HTTP(S) protocol.

The attack mechanism relies on two key elements:

  • Missing required authentication (CVE-2025-31324): allows an attacker to access critical system functionality without providing any credentials.

  • Deserialisation vulnerability (CVE-2025-42999): enables malicious code execution through the deserialisation of specially crafted Java objects.

Deep knowledge on the part of the attackers

The published exploit reveals a worrying level of familiarity with SAP’s internal architecture on the part of cybercriminals. The code uses specific SAP classes such as com.sap.sdo.api.* and com.sap.sdo.impl.*, and adapts the attack payload depending on the SAP NetWeaver version. A fragment of the exploit code illustrates this complexity:

elif "local class serialVersionUID = -7308740002576184038" in response.text:
    print("[+] Found version 7.5")
    newContent = newContent.replace(b"\xF4\x51\xDC\xAA\x00\xB6\xF0\xCC",
                                   b"\x9A\x92\x23\xB0\xE6\xC2\x4D\x1A")

This level of precision indicates that we are dealing with sophisticated criminal groups that have invested significant resources in analysing and understanding SAP systems.

Scale and consequences of the threat

Mass exploitation campaign

According to data from Onapsis Research Labs, the vulnerability had been actively exploited since March 2025, before SAP issued official patches in April and May. This means that many organisations may have been compromised before they were even aware the threat existed.

Potential business impact

Successful exploitation of this vulnerability can lead to:

  • Complete system compromise: attackers gain SAP administrator privileges (the adm user)

  • Theft of sensitive corporate data: access to all data processed within the SAP system

  • Disruption of critical business operations: the ability to modify or delete key data

  • Long-term financial and reputational consequences: regulatory fines, loss of customer trust

  • Installation of backdoors: ensuring persistent access even after the vulnerability has been patched

Wider context – the deserialisation gadget

Particularly concerning is the fact that the published deserialisation gadget can be used against other SAP vulnerabilities discovered and patched in July 2025:

  • CVE-2025-30012 (CVSS 10.0)

  • CVE-2025-42980 (CVSS 9.1)

  • CVE-2025-42966 (CVSS 9.1)

  • CVE-2025-42963 (CVSS 9.1)

  • CVE-2025-42964 (CVSS 9.1)

This significantly widens the attack surface and underlines the need for a comprehensive approach to SAP security.

SecurityBridge – a protective shield for SAP systems

Natively integrated architecture

SecurityBridge is the first and only fully integrated SAP cybersecurity platform that runs 100% embedded within the SAP environment. It requires no additional infrastructure, which significantly simplifies deployment and management.

“At a time when cyberattacks on SAP systems are becoming increasingly sophisticated, it is essential to have a solution that understands the specifics of this platform from the inside,” says Jarosław Kamil Zdanowski, Partner at SNOK responsible for SAP cybersecurity and SAP BASIS. “SecurityBridge not only detects threats in real time but also helps with automatic vulnerability remediation, which is invaluable when every minute counts.”

Key protection components

1. Real-time threat detection

SecurityBridge uses advanced machine-learning algorithms and signature-based detection methods to:

  • Monitor all interactions with SAP Visual Composer components

  • Detect attempts to exploit CVE-2025-31324 and CVE-2025-42999

  • Alert on suspicious POST, GET and HEAD requests

  • Identify known webshells within the SAP environment

2. Vulnerability management

The platform offers:

  • Automated scanning of the SAP landscape: identifying all systems with vulnerable components installed

  • Patch prioritisation: highlighting the most critical updates for immediate deployment

  • Patching process automation: the ability to deploy security fixes automatically

  • Progress tracking: continuous monitoring of the vulnerability-remediation process

3. ABAP code analysis

SecurityBridge performs in-depth analysis of ABAP code for:

  • Security gaps in custom code

  • Misconfigurations

  • Backdoors left by attackers

  • Compliance with security best practices

4. Integration with the security ecosystem

The platform integrates seamlessly with:

  • SIEM systems: Splunk, Microsoft Sentinel, QRadar

  • SOAR tools: automation of incident response

  • GRC platforms: ensuring regulatory compliance

  • Ticketing systems: ServiceNow, Jira for incident management

SNOK – Poland’s SAP security expert

A comprehensive approach to protection

SNOK, as an SAP Gold Partner and the official SecurityBridge representative in Poland, offers a unique combination of:

  • Local expertise: a team of certified SAP specialists with many years of experience

  • Global technology: access to the most advanced SAP security platform available

  • 24/7 support: a Security Operations Center dedicated to SAP systems

“SAP security is not just about technology – above all, it’s about people and processes,” emphasises Jacek Bugajski, CEO of SNOK. “Thanks to our partnership with SecurityBridge, we can deliver a solution to our clients that significantly raises the security level of their SAP systems within 48 hours. In the face of such critical threats as CVE-2025-31324, speed of response can determine whether a company survives.”

Security Operations Center services for SAP

SNOK offers Poland’s first dedicated SOC for SAP systems, providing:

24/7 monitoring

  • Continuous tracking of activity within SAP systems

  • Detection of behavioural anomalies

  • Real-time analysis of security logs

  • Correlation of events across systems

Incident management

  • Immediate response to detected threats

  • Escalation procedures tailored to the organisation

  • Documentation and post-mortem analysis

  • Preventive recommendations

Threat intelligence

  • Access to a global database of SAP threats

  • Proactive notification of new vulnerabilities

  • Analysis of attack trends and patterns

  • Tailored reports for management

Compliance and audit

  • Ensuring compliance with GDPR

  • Support for SOX and ISO 27001 audits

  • Automatic generation of compliance reports

  • Tracking of critical authorisations

Practical protective steps – an action plan

Immediate actions (0–24 hours)

  • Verify patch status

  • Scan for signs of compromise

  • Isolate exposed systems

Short-term actions (1–7 days)

  • Deploy SecurityBridge

  • Conduct a comprehensive audit

  • Update security procedures

Long-term strategy (1–3 months)

  • Implement a full SOC for SAP

  • Establish a continuous-improvement programme

  • Manage risk on an ongoing basis

Technical aspects of protection with SecurityBridge

Real-time detection

SecurityBridge uses a multi-layered approach to threat detection:

Layer 1: Signature analysis
- Known attack patterns
- IP/URL blacklists
- Malware hashes

Layer 2: Behavioural analysis
- Unusual login patterns
- Anomalies in data access
- Suspicious system modifications

Layer 3: Machine learning
- Prediction of new threats
- Adaptive alert thresholds
- Reduction of false positives

Automatic remediation

The platform can respond automatically to detected threats:

  • Blocking attacks

  • Remediating vulnerabilities

  • Documentation and reporting

Integration with SAP BTP

In the age of digital transformation, many organisations are migrating to the SAP Business Technology Platform. SecurityBridge provides:

  • Protection for Cloud Foundry and Neo environments

  • Monitoring of SAP BTP Security Audit Logs

  • Security for integrations and APIs

  • Protection for extension applications

Case study: A successful defence against an attack

Context

A large manufacturing company in Poland, an SNOK client, using SAP S/4HANA as the core of its IT infrastructure. In March 2025, before the public disclosure of the CVE-2025-31324 vulnerability, SecurityBridge detected suspicious activity.

Detection and response

  • Hour 0: SecurityBridge identified unusual requests to SAP Visual Composer

  • Hour 1: automatic blocking of suspicious sessions

  • Hour 2: the SNOK SOC team began incident analysis

  • Hour 4: confirmation of a zero-day exploitation attempt

  • Hour 8: implementation of temporary mitigating measures

  • Day 2: application of official SAP patches following their release

Outcome

Thanks to SecurityBridge’s proactive protection and the SNOK team’s rapid response:

  • System compromise was avoided

  • Zero financial losses

  • No business downtime

  • Valuable insight into attacker tactics

Return on investment for SAP security with SecurityBridge

Financial savings

Investment in SecurityBridge and SNOK services delivers measurable benefits:

  • Reduced incident costs

  • Optimised resource use

  • Faster processes

Intangible value

  • Peace of mind for management and shareholders

  • Preservation of company reputation

  • Compliance with regulatory requirements

  • Competitive advantage

The future of SAP security

  • Increasing attack complexity

  • Evolution of SAP technology

  • Changing regulations

The response from SecurityBridge and SNOK

“We continually invest in developing our capabilities to stay ahead of cybercriminals,” continues Jarosław Kamil Zdanowski. “SecurityBridge’s recent acquisition of CyberSafe brings advanced MFA and SSO capabilities that further strengthen protection. Our team regularly takes part in training and certification to ensure the highest level of expertise.”

Time to act

The publication of the CVE-2025-31324 exploit by the ShinyHunters group is yet another wake-up call for organisations using SAP systems. The threat is real, technically advanced, and could have catastrophic consequences for unprepared companies.

Key takeaways:

  • Immediate action is essential: check the status of your SAP systems today

  • Traditional protection methods are not enough: SAP requires specialist tools and expertise

  • SecurityBridge offers proven protection: the platform has detected and blocked zero-day attacks

  • SNOK provides local expert support: a Polish team, a global level of service

  • Investment in SAP security pays off: ROI measured in losses avoided

“We cannot afford the luxury of waiting,” concludes Jacek Bugajski. “Every day of delay is additional risk. With SecurityBridge and SNOK’s expertise, Polish companies can effectively defend themselves against the most advanced attacks on SAP systems. We invite you to get in touch – we will help secure your critical business systems.”

Call to Action

Do not wait for your organisation to become the next victim of a cyberattack on SAP. Contact SNOK’s experts today:

  • Free SAP security assessment: check your current level of protection

  • SecurityBridge demo: see the platform in action

  • Consultation with our experts: discuss your specific needs

  • SAP SOC pilot: try our services with no obligation

SAP security starts with awareness. Act before it is too late.

SNOK Solutions – your trusted partner in SAP security. SAP Gold Partner, official SecurityBridge representative in Poland. Protecting your business against cyber threats 24/7.

Contact: office@snok.ai | www.snok.ai

SecurityBridge – The Leading SAP Security Platform. Trusted by 150+ organizations worldwide.

Tematy: Safe Tuesday SAP security SecurityBridge SAP S/4HANA SAP BTP

Get in touch