There is active exploitation against a zero-day vulnerability in SAP systems in the wild. Evidence of active attacks against this vulnerability has been observed by ReliaQuest, Onapsis Threat Intelligence, and confirmed by multiple IR firms in recent active investigations.
SAP published an emergency security patch on April 24, 2025 to address this issue. The vulnerability is of critical severity (CVSS 10), and affects the SAP Visual Composer component of SAP Java systems, which is not enabled by default.
Unauthenticated threat actors can exploit the vulnerability to gain full control of vulnerable SAP systems, including unrestricted access to the SAP business data and processes, deploy ransomware in SAP and move laterally. Given the observed activity and vulnerability characteristics, we expect continued exploitation against vulnerable internet-facing SAP Java systems.
SAP and Onapsis urge customers to take immediate action. This issue can be mitigated by applying SAP note 3594142. If you are unable to apply the patch in a timely fashion, SAP’s recommended mitigation is to either disable or prevent access to the vulnerable component, with more information described in SAP note 3596125.
Our experts are hosting an SAP threat intelligence session to provide further information on how to assess exposure in your environment and plan any required response actions. You can register below.
Speakers
Juan Pablo “JP” Perez-Etchegoyen
Chief Technology Officer
ONAPSIS
Alex Horan
Vice President of Product Management
ONAPSIS
Register Here
EMEA (5am ET/11 CEST)
US (11am ET / 5pm CEST)