There are several speculations and "advisories" from external services already, but thy generally regurgitate terms and send you back to SAP to apply the kernels.
Responsible disclosure is at least 90 days for the admins to implement corrections and in this case it is not externally exploitable yet as it is an internal correction (bar this post and the bandwagon, only real customers were informed).
Only real customers were informed in advance (assuming they have their own processes). Obviously that process does not work for long.. :-)
I place my bets on 10 days until someone posts the code to reverse engineer the DSA digest and remove (trap) the encoding / decoding of the SID in the signature.
I allow myself the comment that the origin of the problem was the idea to have an external ITS way back in 6.10 for HR and BP "portals". Can anyone confirm that?
I dont judge it because mistakes can always be made, but there are still many ITS out there. Many are not even used, but they are there.
Cheers,
Julius