SAP remains the digital backbone for thousands of global enterprises — from finance to manufacturing, supply chain, and HR. Yet in 2025, SAP platforms became a growing target for cyberattacks. Recent high-severity vulnerabilities and exploitation trends reveal a clear message: no organization running SAP can afford complacency.
In this post, we’ll explore the most significant SAP vulnerabilities discovered this year, why these systems are being targeted, and what IT teams should do immediately to protect their environments.
The 2025 SAP Threat Landscape
SAP systems handle some of the world’s most sensitive business data — payroll, financial transactions, and trade secrets. That makes them a prime target for attackers looking to disrupt operations or steal proprietary information.
In 2025, several critical-severity vulnerabilities were identified in core SAP products, some of which have already been exploited in the wild:
- CVE-2025-42957 (SAP S/4HANA) – A remote code injection flaw that allows attackers to execute arbitrary ABAP code and take full control of the system.
- CVE-2025-42944 (SAP NetWeaver AS Java) – An insecure deserialization vulnerability that enables attackers to run operating system commands remotely.
According to cybersecurity analysts, threat actors are now scanning for unpatched SAP systems – often exploiting known vulnerabilities that remain unaddressed months after patches are released.
The message is clear: patching delays are creating real business risks.
Why SAP Systems Are So Hard to Secure
For many IT organizations, securing SAP isn’t as simple as applying a Windows or Linux update. The complexity of these environments creates unique challenges:
1. Complex and Customized Landscapes
Each SAP environment is highly tailored with custom developments, third-party integrations, and industry-specific add-ons. A single patch can have ripple effects across modules or integrations, leading to hesitancy around updates.
2. Downtime Sensitivity
SAP often runs mission-critical workloads. Scheduling downtime for patching can be disruptive, particularly in manufacturing or logistics environments where 24/7 uptime is required.
3. Authorization Design Weaknesses
Overly broad access roles and segregation-of-duties (SoD) conflicts are still common. Once an attacker gains access, excessive privileges can quickly turn a small incident into a major breach.
4. Hybrid Complexity
Modern SAP deployments are increasingly hybrid. Combining on-premise systems with SAP Cloud, BTP, and SaaS modules. Each integration point expands the attack surface and increases the need for consistent security governance.
5. Limited Security Expertise
Many organizations have strong SAP functional teams but limited security specialists who understand both the technical and business implications of an SAP breach.
5 Immediate Actions IT Teams Should Take for SAP Security
The good news: most SAP vulnerabilities can be mitigated with the right governance, tools, and collaboration between IT, Basis, and Security teams. Here’s what you should do now:
1. Audit Your Patch Status
- Review all systems against the latest SAP Security Patch Day notes.
- Prioritize “Hot News” and “High” CVSS-scored vulnerabilities.
- Validate that patching has been applied across production, QA, and development systems.
2. Limit Exposure
- Ensure that SAP systems are not directly exposed to the internet.
- Restrict remote RFC connections and monitor for unusual external access attempts.
- Review firewall and reverse proxy configurations that interface with SAP.
3. Strengthen Role Design and Access Control
- Review user authorizations regularly using SUIM or GRC tools.
- Remove dormant or over-privileged accounts.
- Reinforce the principle of least privilege and review SoD violations quarterly.
- If using SAP GRC Access Control, schedule automated access risk analysis jobs.
4. Monitor and Log Security Events
- Enable and regularly review SAP audit logs (SM20, STAD, and Security Audit Log).
- Integrate SAP logs into your enterprise SIEM for centralized visibility.
- Watch for patterns like sudden role assignments, RFC connections, or mass data exports.
5. Communicate Urgency to Stakeholders
Security is not just an SAP Basis issue, it’s an enterprise risk.
- Educate leadership about the business impact of unpatched SAP systems.
- Embed SAP patching into regular IT maintenance cycles.
- Assign ownership for vulnerability management, not just technical execution.
4 Strategic Steps for Long-Term SAP Security
Beyond immediate patching, organizations need to embed security into their SAP governance model:
1. Identity and Access Governance
Integrate SAP user provisioning with enterprise IAM tools to ensure lifecycle consistency (onboarding, role change, offboarding). Automate periodic access reviews to maintain compliance.
2. Regular Security Assessments
Schedule quarterly vulnerability scans and annual SAP Security audits. Include checks for:
- Misconfigurations (default passwords, open ports)
- Custom code vulnerabilities (using SAP Code Inspector or ATC)
- Segregation-of-Duties compliance
3. Incident Response Readiness
Develop and test an SAP specific incident response plan. Many security teams are well versed in Windows or network incidents, but SAP requires specialized response steps and forensic tools.
4. The Business Case for SAP Security
According to industry studies, over 60% of SAP systems in production are running with known vulnerabilities. A single exploited SAP instance could disrupt payroll, production planning, or financial reporting. Leading to millions in losses and reputational damage.
Investment in SAP Security isn’t just about compliance. This is about operational resilience. The cost of proactive patching and continuous monitoring is far lower than the cost of a breach.
Author Nina Wahib