Unveiled Exploit Targeting SAP Security Loophole CVE-2025-31324 - Hackers Actively Leveraging the Flaw for Attacks

In a significant cybersecurity development, a published exploit for the critical Java deserialization vulnerability CVE-2025-31324 in SAP systems has led to a surge in attacks since its publication on August 15, 2025.

The exploit, initially published by the hacker group "Scattered LAPSUS$ Hunters – ShinyHunters" in a Telegram group, allows an unauthenticated attacker to achieve Remote Code Execution (RCE) on a vulnerable server. The script, later picked up and further distributed by VX Underground, works by sending a specially crafted ZIP file to a specific server endpoint.

Upon analysis, it was found that approximately 60 unique IP addresses corresponding to TOR exit nodes were identified as involved in these attacks. Interestingly, half of these IPs belonged to networks identified as malicious by CrowdSec Intelligence.

Four distinct groups of attackers were identified, each with a unique method of exploiting CVE-2025-31324. These groups, labelled as Clusters 1, 2, 3, and 4, displayed varying levels of sophistication and intent in their attacks.

Cluster 1 utilized 40 unique IP addresses to interact with SAP applications, consistently executing a specific sequence of commands to download the SAP Secure Store and demonstrating a deep understanding of SAP system architecture. Cluster 2, on the other hand, used 7 unique IP addresses, displaying the most advanced and dangerous capabilities among the observed groups. They focused on repeatedly downloading and executing the malware "Sakura" and demonstrating a clear intent for long-term persistence.

Cluster 3 used 26 unique IP addresses, uploading multiple Webshells and performing a series of checks to ensure the files were successfully provisioned, indicating a strategy for establishing long-term persistence or facilitating access for other threat groups. The attackers in Cluster 2 demonstrated the use of the advanced remote management tool Sakura, which was published earlier this year as an evasion tool for modern EDRs.

Cluster 4 used 5 unique IP addresses, conducting extensive reconnaissance, specifically searching for SAP paths to find cloud credentials, plaintext credentials, checking certain SAP profile values, and searching various configuration files for keywords.

Nearly 15 unique IP addresses were observed that were not TOR exit nodes and were used to exploit CVE-2025-31324, establish connections to provided webshells, or facilitate command and control for file downloads or reverse shells. A more comprehensive list of executed commands can be found in "Appendix II: Executed Commands".

The exploitation, provisioning of files, their usage, and the similarity of actions performed by attackers led to the identification of at least four distinct groups. The exploit has two main operating modes: executing a single command on the target server or uploading a persistent web shell for sustained access.

The exploit has made it easier for less experienced attackers to gain access to SAP systems, as previously, exploiting CVE-2025-31324 was limited to technically skilled attackers. Since August 15, 2025, there has been an increase in successful exploitations of the critical SAP vulnerability CVE-2025-31324. It is crucial for organisations to apply the available patches and implement robust security measures to protect their SAP systems from these attacks.