SAP Security in 2025: Protecting Your Enterprise from Modern Cyber Threats
Traditionally, SAP cloud security best practices were to keep business-critical SAP systems on-premises and to install layers of security around them, creating a theoretical and impenetrable fortress of castle walls and moats. However, the ongoing shift of the traditional on-premises perimeter to a distributed hybrid cloud model, and the imperative for every organization to transform how it does business digitally, continues to reshape this paradigm. This includes complex initiatives like transformation with S/4HANA and RISE with SAP. SAP is no longer in a lockbox, and threat actors have taken notice, targeting SAP with fast, sophisticated, and increasingly successful attacks. Organizations need to be aware and equipped to face the increased threats facing their most critical systems.
The Evolving SAP Threat Landscape
The shift in how enterprises operate and interact with their SAP systems has created a dynamic and increasingly complex threat landscape. Several key factors are contributing to this evolution, demanding a proactive and robust security posture.
Accelerated Digital Transformation: Speed Over Security
Digital transformation initiatives have been underway for years, but recent global events significantly accelerated the digitization of business across all fronts. From customer demands for increased digital interactions to completely remote workforces, this sustained acceleration has given digital transformation a new and enduring sense of urgency, alongside a mandate to prioritize digital readiness above all else. This rapid shift has left organizations vulnerable to new risks, both because of a larger number of externally-facing critical systems and often stretched resources to implement security best practices. According to recent industry analysis, companies have seen a dramatic acceleration in their digital transformation efforts, with many reporting an average of 6 years of progress achieved in a compressed timeframe. This rapid advancement has significantly impacted the digitization of customer and supply-chain interactions, internal operations, and the overall share of digital or digitally-enabled products in their portfolios.
Digitized operations and products mean business-critical applications and their data now increasingly reside in cloud-based, often public-facing systems, rather than solely within on-premises infrastructure. This has greatly increased the risk of exploitation, underscoring the critical need for a secure cloud migration. Organizations striving to keep pace with this rapid acceleration may inadvertently overlook critical risks, potentially leaving them susceptible to exploits, including insufficient due diligence on security best practices.
Increased Outsourcing & Reliance on Third Parties
Hiring IT staff, especially application developers and managers who have experience with business-critical platforms like SAP, is a challenging task. The global talent shortage continues to be a significant hurdle; by 2030, the global shortfall of tech workers could reach an estimated 85.2 million people worldwide, leading to substantial potential revenue losses. Enterprises continue to hire outsourced consultants, contractors, and system integrators to try and fill this gap. In fact, according to a 2024 Deloitte survey, 80% of executives plan to maintain or increase investment in third–party outsourcing.
However, bringing on additional resources to help meet project deadlines for development and digital transformation is not without its challenges. Organizations need a way to validate the work of these third parties to make sure they are setting up SAP environments correctly and writing high-quality and secure code. Internal company application leaders need visibility and automation capabilities for assessing the code, transports, configurations, and patching efforts from third parties, so they can ensure corporate standards are met, security checks aren’t interfering with their team’s ability to meet project timelines, and critical security issues aren’t being introduced to their most critical systems.
Rising & Sophisticated Attacks on SAP
The shift to cloud models, accelerated pace of digital transformation, and increased reliance on third parties discussed above have left business-critical SAP applications more vulnerable than ever – and threat actors have taken notice. Malicious cyber activity targeting SAP has increased over the last several years and those efforts appear to be paying off for the cyberattackers, with a significant 23% of organizations reporting a cybersecurity attack that impacted their SAP environment in the past year.
Threat actors not only have the sophisticated domain knowledge to target SAP through a variety of attack vectors, but they are doing so at a faster pace than ever before. Onapsis research has found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available.
Beyond malicious activity targeting unpatched SAP applications, Onapsis researchers also observed evidence of attacks against known weaknesses in application-specific security configurations, including brute-forcing of high-privilege SAP user accounts. Additionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications.
The Unpredictable Nature of Zero-Day Attacks
Lastly, discussing sophisticated attacks without acknowledging the threat of zero-days would be a significant oversight. While organizations can plan for and patch known vulnerabilities, zero-day exploits represent the unknown, a critical risk that demands agility from security teams and researchers. Understanding that these unknowns exist is crucial for a comprehensive risk management strategy.
Indeed, while attackers consistently leverage both old and new known vulnerabilities, this past year has seen one of the most prolific zero-day attacks specifically targeting SAP Customers. Dubbed CVE-2025-31324, first publicly reported by ReliaQuest, yet unidentified attackers exploited a zero-day vulnerability. The attack upon analysis implies a highly specialized and deep understanding skillset was required to both find and create an exploit. Reports from incident responders like Mandiant (in collaboration with Onapsis) confirm it was used to successfully target hundreds of businesses.
Key Takeaways on Zero-Day Threats
- Zero-days cannot be planned for with traditional patching cycles
- Zero-day exploits are not used indiscriminately; they are highly strategic
- These strategic zero-days often carry critical severity scores, such as CVSS 10.0, once discovered and patched.
- The CVE-2025-31324 incident specifically demonstrates the high sophistication and specialized expertise required by attackers.
- Onapsis Research Labs (ORL) has consistently warned that attackers recognize the immense value of SAP systems, and this zero-day unequivocally proved it.
- For any organization running SAP, it’s no longer a matter of if you will be targeted, but when.
- There is no inherent barrier to attacks or being targeted: having SAP makes you a target because it contains highly valuable data.
Why Modern SAP Security Matters: Business & Compliance Impact
The business impact of a successful SAP breach could be critical. In many scenarios, the attacker would be able to access the vulnerable SAP system with maximum privileges (Administrator/SAP_ALL), bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions). This means that the attacker could gain full control of the affected SAP system, its underlying business data and processes. Having administrative access to the system would allow the attacker to manage (read/modify/delete) every record, file and report in the system. Successful exploitation of a vulnerable SAP system would allow an attacker to perform several malicious activities, including:
- Steal personally identifiable information (PII) from employees, customers and suppliers
- Read, modify or delete financial records
- Change banking details (account number, IBAN number, etc.)
- Administer purchasing processes
- Disrupt critical business operations, such as supply chain management, by corrupting data, shutting processes down completely or deploying ransomware
- Perform unrestricted actions through operating system command execution
- Delete or modify traces, logs and other files
For many organizations, business-critical SAP applications are under the purview of specific industry and governmental regulations, financial and other compliance requirements. Any enforced controls that are bypassed via exploitation of threats discussed in this report might cause regulatory and compliance deficiencies over critical areas such as:
- Data privacy (e.g. GDPR, CCPA) due to unauthorized access of protected data, regardless of exfiltration
- Financial reporting (e.g. Sarbanes-Oxley) due to unauthorized changes to financial data or bypassing of internal controls causing inaccurate financial reporting
- Industry-specific regulations such as NERC CIP or PCI-DSS due to impact to regulated data
Having known vulnerabilities and misconfigurations in SAP systems that can allow unauthenticated access and/or the creation of high-privileged user accounts would be a deficiency in IT controls. For organizations that must meet regulatory compliance mandates, this would trigger an audit failure and violate compliance. The result could lead to potential disclosure of the violation, expensive third-party audits and penalties that could include fines and legal action.
Your Path to Enhanced SAP Security: Key Steps
Addressing the complexities of the modern threat landscape requires a proactive and strategic approach to SAP security. We’ve identified three crucial steps to guide your efforts in safeguarding your enterprise:
3 steps toward better SAP security:
1. Implement a Robust SAP Vulnerability Management Program
Threat actors can exploit vulnerabilities from system configurations, user settings, custom code, and missing patches to gain access to your critical SAP systems. Finding and remediating these vulnerabilities before they can be exploited is essential to protecting your SAP environment. This requires a continuous, proactive approach, scanning not just for known Common Vulnerabilities and Exposures (CVEs) but also for misconfigurations and custom code flaws unique to your landscape. Establishing a clear process for identifying, prioritizing, and patching these weaknesses significantly reduces your attack surface and builds a stronger baseline of defense.
2. Integrate Application Security Testing into Development Processes
Incorporating security checks into your SAP development and change management processes allows you to find issues in the shortest possible time. Fixing issues before they hit production is typically easier and less expensive, and helps avoid negative impacts to system security, compliance, performance, or availability. By “shifting left” security, you embed vulnerability detection directly into the development pipeline, catching errors when they are cheapest and fastest to fix. This ensures that new functionalities and changes are secure by design, preventing new attack vectors from being introduced into your live environment.
3. Continuously Monitor for Internal & External Threats
SAP is an attractive target for bad actors, both inside and outside the organization. Keeping an eye out for unauthorized changes, misuse, or attack indicators is crucial for identifying this type of malicious behavior early so actions can be taken to prevent serious consequences. Effective security monitoring provides real-time visibility into your SAP landscape, allowing you to detect anomalous user behavior, suspicious system activities, and external scanning attempts. This continuous vigilance is vital for rapid incident response, enabling security teams to neutralize threats before they can cause significant damage or lead to a data breach. Furthermore, for a deeper dive into methods to detect and respond to advanced threats, explore strategies for enterprise threat detection.
How Onapsis Helps Secure Your SAP Enterprise
Navigating the complexities of modern SAP security requires specialized expertise and comprehensive solutions. Onapsis provides a unified platform designed to address the specific challenges outlined in this report, empowering organizations to proactively protect their most critical SAP applications and data. Our deep understanding of SAP environments allows us to deliver unparalleled protection.
For a robust SAP vulnerability management program, Onapsis automates the identification and prioritization of weaknesses across system configurations, user settings, custom code, and missing patches. This ensures you can find and remediate critical flaws before threat actors can exploit them, providing crucial visibility into your attack surface.
When it comes to integrating security into the SAP development processes, Onapsis helps you “shift left” security. Our solutions enable you to assess code quality and identify security issues early in the development pipeline, ensuring new functionalities are secure by design and preventing costly rework in production environments. Onapsis simplifies the complexities of secure development for SAP applications.
For continuous SAP security monitoring and advanced threat detection, Onapsis delivers real-time visibility into your SAP landscape. Our platform helps you detect anomalous user behavior, suspicious system activities, and external scanning attempts, enabling rapid incident response and proactive defense against both internal and external threats.
Frequently Asked Questions
What are the primary modern threats to SAP security in 2025?
In 2025, the evolving SAP threat landscape is primarily driven by challenges related to accelerated digital transformation, increased reliance on third-party vendors, and highly sophisticated cyberattacks. Key concerns include data exfiltration, securing distributed hybrid cloud models, and ensuring the integrity of externally-facing critical SAP systems.
How has digital transformation influenced SAP security?
Digital transformation, accelerated by recent global events, has pushed business-critical SAP applications and their data into cloud-based, often public-facing systems. This rapid shift, prioritizing speed over security, has significantly increased the risk of exploitation and underscores the critical need for a secure cloud migration strategy.
What is the current rate of cybersecurity attacks impacting SAP systems?
Recent data indicates a significant increase in malicious cyber activity targeting SAP. A 2025 SAPinsider Research Report, sponsored by Onapsis, revealed that a significant 23% of organizations reported experiencing a cybersecurity attack that impacted their SAP environment in the past year.
What are the key steps to enhance SAP security?
To enhance SAP security, organizations should focus on three crucial steps: implementing a robust SAP vulnerability management program to find and remediate weaknesses, integrating application security testing into development processes to “shift left” security, and continuously monitoring for internal and external threats to detect malicious behavior early.
What are the regulatory compliance implications of unsecure SAP systems?
Unsecure SAP systems can lead to severe regulatory and compliance deficiencies. Bypassed controls can violate mandates related to data privacy (e.g., GDPR, CCPA), financial reporting (e.g., Sarbanes-Oxley), and industry-specific regulations (e.g., NERC CIP, PCI-DSS), potentially resulting in audit failures, fines, and legal action.
