es flag
es flag

SAP Under Attack — Cybersecurity Trends You Can’t Ignore in 2025

Stay tuned and dont panic. Theres a way to enjoy the benefits from SAP without being attacked.

Kevin

5/24/20252 min leer

The Growing Threat Landscape for SAP Systems

SAP systems have become prime targets for cybercriminals. With over 400,000 businesses worldwide relying on SAP to run financials, HR, procurement, and supply chain operations, the incentive to exploit these systems is only growing.

A 2024 report by Onapsis & IDC found that:

  • 64% of organizations experienced at least one security incident involving their SAP landscape in the last 24 months.

  • Only 12% of SAP systems analyzed had full visibility into their attack surface.

  • The average time to patch a critical SAP vulnerability was 39 days—giving attackers a wide window.

  • 71% of incidents involved privilege misuse or configuration gaps.

A Shift in Tactics: From Edge to Core

Attackers are no longer just targeting the perimeter. They're moving laterally and exploiting logic, processes, and configuration flaws within SAP environments.

Here are the top SAP-specific cyberattack trends you need to watch in 2025:

1. 🔓 Exploitation of Misconfigurations

Many SAP breaches start with basic but critical oversights:

  • Default credentials still active

  • Publicly exposed SAP NetWeaver or Gateway ports

  • Unpatched vulnerabilities (e.g., CVE-2020-6287, used in real-world ransomware attacks)

  • Insecure RFC destinations or SOAP web services

These aren’t sophisticated zero-days—they’re opportunistic exploits relying on neglect.

2. 🧬 Privilege Escalation via Poor Role Design

Weak segregation of duties (SoD), poorly defined custom roles, and excessive authorizations lead to:

  • Unauthorized creation of users

  • Access to financial transactions (FB01, F110, etc.)

  • Alteration of business logic (via SE38, SE80)

Insiders and external actors alike can use these gaps to move laterally and perform fraud, data exfiltration, or sabotage.

3. 🛠 Supply Chain Injection and Transport Layer Attacks

With increased reliance on third-party tools and development:

  • Developers accidentally or maliciously introduce vulnerable code

  • Transport requests include insecure configurations

  • External vendors leave integration points unmonitored

SAP customers have suffered breaches due to malicious ABAP code introduced through third-party transports—in some cases, undetected for months.

4. 🌐 Shadow IT and Forgotten Interfaces

As companies integrate cloud and hybrid SAP environments (e.g., S/4HANA Cloud + on-prem), legacy components are often forgotten:

  • Unused interfaces remain active

  • Staging systems are left exposed

  • APIs without proper auth are accessible via the internet

These forgotten endpoints become low-hanging fruit for attackers.

5. 💣 Targeted Ransomware on SAP Landscapes

Ransomware groups such as Clop and LockBit have been observed targeting ERP systems in broader attacks.

Their logic:

“If SAP is down, the business is down.”

While SAP-specific ransomware is still rare, attackers are now encrypting backends, SAP transports, and archived data as part of generalized attacks on core business systems.

What Can You Do About It?

🛑 Reactive security is no longer enough.
You need SAP-specific threat modeling, offensive testing, and operational hardening.

At SAP Guardians – MALAM Strategy, we help you:

  • Simulate real-world attacks tailored to your SAP architecture

  • Identify hidden misconfigurations and role abuse paths

  • Assess and secure your SAP software supply chain

  • Strengthen detection, response, and compliance governance

👉 Discover how we secure SAP before attackers strike

Real Case Snapshot: A Multinational CPG Company

A global SAP user in the consumer goods industry came to us after an internal audit revealed 12 unauthorized financial postings—all traced to role misconfigurations.

After a targeted assessment, we discovered:

  • A custom role allowing indirect access to SE38

  • An active RFC user with full dialog permissions

  • Unmonitored batch jobs pulling sensitive data nightly

Within 3 weeks, we helped them redesign role assignments, disable exposed RFC destinations, and implement alerting tied to suspicious transaction patterns.

Don’t Be Caught Off Guard

The threat to SAP systems is real—and growing. Whether it's ransomware, insider fraud, or overlooked legacy configurations, the next breach is always closer than it seems.

Let’s make sure you're ready.

📩 Book a meeting with our SAP Security Specialists

an abstract photo of a curved building with a blue sky in the background

Get in touch

Share with visitors how they can contact you and encourage them to ask any questions they may have.

Security

Comprehensive protection for your SAP landscapes.

OFFSEC Defense

bE IN TOUCH

Germany - Israel

MALAM Strategy

Pentesting

Offsec

© 2025. All rights reserved.