Between April and May, we saw a massive campaign involving the exploitation of a zero-day vulnerability potentially linked to a number of actors, including China-Nexus actors as well as Russian ransomware groups. The exploited vulnerabilities (CVE-2025-31324 and CVE-2025-42999) affect the SAP NetWeaver Visual Composer tool. Using full remote command execution (RCE), the threat has impacted hundreds of SAP systems – many belonging to government agencies and critical infrastructure operations.
The attackers uploaded web shells to vulnerable systems, allowing them to execute commands and gain full access to all SAP resources. This makes it possible for attackers to live off the land (LOTL) during the compromises, in which adversaries blend into routine background activity within a network using built-in system tools. With this, they execute code without scanning files, thus leaving no footprints on hard drives.
I’ve seen firsthand how such threats bring the potential of widespread harm to organizations across-the-board, as SAP customers account for 84% of total global commerce. In fact, 98 of the 100 largest companies are SAP customers. All told, more than 400,000 businesses deploy SAP business-critical applications to perform enterprise resource planning (ERP), supply chain management (SCM), customer relationship management (CRM), Supplier Relationship Management (SRM) and other business functions.
What’s more, the vulnerabilities arrive at a time of highly challenging transformations for SAP customers, as they are required to migrate to S/4HANA as part of the RISE with SAP initiative. Earlier this year, SAP introduced an offering called “SAP ERP, private edition, transition option,” to help large customers with complex installations segue to SAP cloud ERP. From what I’m seeing, organizations could use the support, as only 51% of transformations go according to plan and 58% exceed their budget.
I’ve been talking to organizations in response to these challenges and strongly recommend implementing a comprehensive and resilient SAP cybersecurity strategy – one that is built upon five essential components:
Governance and risk visibility. This starts with the development of internal policies which are specifically designed for the protection of SAP applications. Chief Information Security Officers (CISOs) and their teams should work with business leaders to ensure the policies align with relevant industry standards, regulations and legislation. They also need to gain buy-in from these leaders along with all stakeholders, including system/data owners.
At the same time, teams must identify and track risks to SAP systems, and integrate those into key risk indicators (KRIs) for comprehensive risk management.
Secure architecture, configuration and accountability. Policy documents need to outline minimal configuration baselines to best protect all SAP system components. This should hold true for system configurations, user authorizations and custom code, to name some of the most relevant areas. They should also address transport integrity, along with auditing requirements that cover data retention policies so the data is always available for forensic purposes.
Baked-in compliance from the start. Comprehensive compliance must align with internal policies as well as external standards, regulations and legislation. As part of the process, teams should establish a controls matrix to match each control with the requirements of applicable regulations and standards. This is especially important across SAP applications, since most of the processes and data that run through them are in the scope of multiple regulations and compliance mandates.
A multi-pronged, tailored approach. There is no “one size fits all” plan to implement an effective strategy, as it has to align with an organization’s individual goals, challenges, industry requirements and customer needs. In addition, CISOs and their teams should invest in ongoing training for internal employees to update them about the latest SAP defense practices. Then, it’s highly recommended that they bring on external, independent entities to conduct regular assessments of their SAP cybersecurity maturity.
Commitment to monitoring, measuring and continuously improving. Teams must regularly report on metrics and compliance key performance indicators (KPIs) to chart progress, identify improvement areas and convey total transparency/accountability to stakeholders.
Such KPIs could include tracking the percentage of systems that are up-to-date on patches, and the extent to which SAP operations adhere to compliance regulations and security baselines/standards. Automation tools make a great difference with the measurement and assessment process by not only significantly improving efficiencies, but also reducing human error.
Adversaries are well aware of the universal dependence of companies on SAP business-critical applications – which is why the applications have emerged as popular targets. Therefore, I believe these companies must commit to constant focus and cross-functional collaboration to develop and enforce a comprehensive and resilient SAP cybersecurity strategy. By incorporating the five essential components described here while working closely with organization-wide leadership, CISOs and their teams will take the steps required to get there.
Join our LinkedIn group Information Security Community!
