Business-Critical Applications Under Attack: The Rise of SAP, Salesforce, and Oracle Breaches

Over the past year, sophisticated threat actors have markedly shifted their focus, executing a surge of cyberattacks against business-critical applications. This trend has compromised hundreds of major organizations worldwide by targeting the core SAP, Oracle, and Salesforce systems that power the global economy. Notable incidents include the mass exploitation of SAP systems, the theft of approximately one billion Salesforce records, and Oracle E-Business Suite breaches by ransomware groups. The consequences have proven to be existential, with impacts ranging from data theft to costly operational shutdowns, demonstrating that securing these applications is a top-tier business, financial, and operational risk.

The Invisible Infrastructure Under Attack

Most people have never heard of SAP, Oracle E-Business Suite, or Salesforce’s backend systems. Yet these platforms run the invisible infrastructure of modern commerce. They’re the software that manages everything from payroll and inventory to customer data and financial transactions at the world’s largest corporations.

These business-critical applications are the systems that run a company’s core, end-to-end processes:

• Record-to-report (finance)
• Procure-to-pay (procurement)
• Order-to-cash (sales, logistics)
• Hire-to-retire (HR)
• Customer lifecycle (marketing, sales, service)

They centralize master data, orchestrate transactions, and connect to vast B2B networks. When these apps are compromised, manufacturing, payroll, financial close, and customer support all stall, directly impacting cash flow and compliance. The enterprise applications market is on a multi-year growth path, underscoring just how central these systems are to modern business.

These systems weren’t designed with today’s threats in mind. They were built decades ago for internal use behind firewalls. But as companies embraced cloud computing and remote work, these applications became increasingly exposed to the internet, and to sophisticated criminal groups that have learned to exploit them.

Why Securing These Applications Is Non-Negotiable

The concentration of data and process power in these applications makes them a high-value target for attackers. The business case for securing them is clear:

• Global Commerce & Networks: 77% of the world’s transaction revenue touches an SAP system. Its SAP Business Network facilitates ~$6.1T in annual commerce across ~761M B2B transactions. A breach here ripples through entire supply chains.
• Massive Customer Scale: SAP has more than 400,000 customers worldwide, while Salesforce is used by 150,000+ companies and has led the CRM market for 12+ years. This concentration means a single exploit can affect a huge customer base.
• Extreme Breach & Downtime Costs: IBM’s 2025 report puts the global average breach cost at $4.44M. Even brief ERP or CRM downtime can quickly become a seven-figure problem.
• Intensifying Regulatory Pressure: New regulations like the EU’s NIS2 directive and new SEC rules in the US now mandate strict controls and rapid disclosure for incidents involving these critical systems, turning security gaps into significant legal and financial risks.

The “Crown Jewels” at Risk

Different applications are targeted for different, high-value reasons:

• SAP: Underpins core finance, supply chain, procurement, and HR. It’s the system of record for financials and supply chain, making it a prime target for invoice fraud, data exfiltration of PII or trade secrets, and operational disruption.
• Oracle E-Business Suite (EBS): This integrated suite is still widely deployed in regulated and complex industries. EBS typically sits at the heart of procure-to-pay and order-to-cash, making it ideal for extortion, vendor fraud, and data theft.
• Salesforce: As the dominant CRM platform, compromised identities or misconfigured integrations can expose customer data at scale and disrupt revenue operations.

The Digital Control Plane for Critical Infrastructure & Government

Business-critical applications are the digital control planes for both critical infrastructure operators and government agencies. They run the ledgers that fund missions, schedule maintenance on plants, manage supplier networks, and power citizen-facing services. In utilities, transportation, healthcare, and the defense industrial base, these platforms consolidate sensitive data and orchestrate high-stakes processes. Because of this, even short outages or minor breaches can have real-world operational impacts.

Threat Actors Converge on Business Applications

The risk to business-critical applications is no longer theoretical, and the data proves it. One of the clearest indicators is the Known Exploited Vulnerabilities (KEV) catalog maintained by CISA. Since September 2024, the number of actively exploited SAP vulnerabilities on the list has grown significantly, while Oracle has seen a similar jump.

This trend is backed by proprietary intelligence from the Onapsis Research Labs. Our team measured a 210% increase in active exploitation of SAP vulnerabilities from 2024 to 2025 (even without Q4 data). In parallel, we’ve observed the price for a remote command execution (RCE) exploit for SAP increasing 5 times over the past 5 years on the cybercriminal underground.

This surge in both activity and price reflects a growing demand from sophisticated threat actors who now clearly understand the high value of compromising these core systems.

210% Increase	4 New SAP CVEs	7 New Oracle CVEs
2024 -> 2025  SAP Vulnerabilities Exploited	in KEV since 2024	in KEV since 2024

Over the past 12 months, it was possible to observe a number of incidents involving business-critical applications, with a significant impact to the affected organizations:

Start Date	Description	Threat Actors	Threat Actors Type	Impact
September 1, 2024	Hunters International deploys Ransomware through Oracle Weblogic vulnerability	Hunter’s International	Ransomware Groups	Multiple organizations affected through Ransomware.
October 1, 2024	Voice Phishing leading to extortion leak site by “Scattered Lapsus$ Hunters”	UNC6040,UNC6240	Data Theft Groups	~1B records from ~40 orgs’ Salesforce environments.
October 31, 2024	Beverages company files for bankruptcy after ransomware attack.	Possibly an unnamed Ransomware group	Ransomware Groups	Bankruptcy, citing SAP security incident as a major contributing factor.
March 12, 2025	Zero Day vulnerability exploited across SAP Applications.	UNC5221, UNC5174, Chaya_004, Earth Lamia, BianLian, Quilin, Gelsenium among others.	APT Groups,Ransomware Groups	Hundreds of large organizations were compromised.
March 30, 2025	UNC6395 used stolen OAuth tokens from the Drift–Salesloft integration to query customers’ Salesforce data.	UNC6395	Data Theft Groups	Hundreds of organizations affected; At least 24 organizations have been publicly mentioned.
August 15, 2025	Exploit released for SAP vulnerabilities exploited in March. ShinyHunters claimed using SAP 0-day to breach and disrupt JLR operations.	UNC6240	Data Theft Groups	Some industry sources suggest total losses between £1-2 billion.
August 9, 2025	Mass exploitation of multiple Oracle E-Business Suite (EBS) vulnerabilities, including a 0-day, by Clop for data theft and extortion.	FIN11, CL0P	Ransomware Groups	Multiple organizations affected. The list of victims has not been published.

The Perfect Storm: March 2025

The crisis reached critical mass in March 2025. Multiple threat groups, including nation-state actors UNC5221 and UNC5174, began targeting SAP applications. They used a combination of mass exploitation of a zero-day vulnerability (CVE-2025-31324) and the abuse of deployed webshells in previously vulnerable systems. Within weeks, hundreds of large organizations worldwide found their SAP environments compromised.

This SAP zero-day attack set off a chain reaction. By August, the criminal group ShinyHunters published the exploit. They then claimed responsibility for the breach of a large automotive manufacturer in the UK, disrupting the automaker’s operations and causing estimated losses between £1-2 billion. The incident forced production shutdowns, demonstrating how a business application breach can cascade from the digital realm into physical manufacturing operations.

A Billion Records Stolen: The Salesforce Campaigns

While SAP systems were under siege, Salesforce became another prime target. As the world’s leading customer relationship management platform, it holds immense value. Between October 2024 and August 2025, threat actors executed two major campaigns that collectively compromised hundreds of organizations.

The Vishing Campaign 

The most audacious attack involved “vishing” (voice phishing) by groups affiliated with the notorious “Scattered Spider” collective. Through social engineering calls impersonating IT support, attackers convinced employees to grant access to Salesforce environments. The result: approximately one billion customer records stolen from roughly 40 organizations’ Salesforce instances.

The OAuth Token Exploit 

A separate campaign exploited OAuth token vulnerabilities in the Drift-Salesloft integration with Salesforce, allowing attackers to silently extract data from hundreds of organizations. While at least 24 companies confirmed unauthorized access, the true number of victims likely extends far beyond those who detected the breach.

Oracle Applications Under Fire

Oracle E-Business Suite (EBS) was also a prime target, representing a shift in attacker strategy. While historically, EBS vulnerabilities were often used by Threat Actors to mine cryptocurrency, the past 12 months saw campaigns focused on deploying ransomware and committing data theft.

Beginning in September 2024, the Hunters International ransomware group exploited a WebLogic vulnerability (CVE-2020-14644) to deploy ransomware across multiple organizations. The campaign continued for months, though the exact number of victims remains unclear.

More significantly, between August and October 2025, the FIN11 and CL0P ransomware groups orchestrated a mass exploitation of Oracle EBS systems. This attack combined multiple recently patched vulnerabilities with a zero-day (CVE-2025-61882).

This campaign marks a strategic evolution. Instead of just encrypting data, these groups focused on data theft and extortion, threatening to publish stolen information unless victims paid. Organizations can recover from encryption by restoring backups, but stolen customer data and trade secrets cannot be “un-stolen.” The extortion leverage is almost permanent. This proves attackers have a deeper knowledge of the target application and understand how to interact with it to pull valuable data.

The Human Cost: From Data Breach to Bankruptcy

Perhaps the most sobering incident didn’t make international headlines. A beverages company that filed for bankruptcy in December 2024 explicitly cited a two-month cyberattack that led to an incident affecting its SAP systems as a major contributing factor.

This case illustrates how breaches of business-critical applications transcend IT security concerns to become existential business risks. When the systems that manage inventory, process orders, handle payroll, and maintain customer relationships are compromised, companies face operational paralysis.

The bankruptcy case suggests that some organizations never fully recover from such attacks. The combined costs of incident response, business disruption, regulatory fines, and lost customer trust can prove insurmountable.

A New Era of Enterprise Risk

What makes this wave of attacks particularly alarming is the convergence of multiple threat actor types. Nation-state groups, ransomware operators, and data theft specialists are all focusing on the same high-value targets. The barriers between cybercrime, cyberespionage, and cyberwarfare are blurring.

The FBI acknowledged this trend in a September 2025 advisory, warning organizations about the increasing sophistication of voice phishing attacks targeting cloud-based business applications. Federal authorities noted that traditional security controls designed for on-premises infrastructure often fail to protect cloud applications adequately.

Security experts emphasize that these aren’t theoretical risks or minor incidents. “We’re talking about hundreds of Fortune 500 companies affected,” notes one incident responder who worked on multiple cases. “Billion-dollar impacts. Critical infrastructure compromised. This is happening now, and most organizations are underprepared.”

This convergence of attacks suggests a systemic vulnerability in how enterprises approach security. Business applications like SAP, Oracle, and Salesforce were designed for an era when corporate networks had clear perimeters. Today’s cloud-connected, integration-rich environments require fundamentally different security architectures that many organizations have yet to implement.

How to Defend Your Business-Critical Applications

The threats are clear, sophisticated, and evolving. A passive, perimeter-only defense is no longer enough to protect the applications at the core of your business. A modern defense strategy requires a dedicated, proactive approach focused on the application layer itself.

The Onapsis Platform is built to secure your most critical SAP, Oracle, and Salesforce applications by focusing on three key principles:

• Assess: You can’t protect what you can’t see. You need to continuously assess your applications for vulnerabilities, misconfigurations, and custom code flaws. This provides a complete picture of your attack surface and allows you to prioritize remediation based on business risk.
• Defend: You need to monitor your applications 24/7 for active threats. By integrating SAP threat detection and application-level context directly into your SOC, you can spot and respond to suspicious activity, Indicators of Compromise, and exploits in real time.
• Control: You must embed security into your core processes. This means automatically scanning custom code before it goes live and ensuring changes to your systems don’t introduce new vulnerabilities or compliance issues, which is a key part of DevSecOps.

The Path Forward

The attacks of the past year have proven that business applications are no longer back-office concerns. They are front-line targets in an increasingly aggressive cyber landscape. For the hundreds of organizations already compromised and the thousands more at risk, the message is clear: the era of treating business application security as an afterthought is over.

If your organization relies on SAP, Salesforce, or Oracle, the question is no longer if you will be targeted, but when. The time to build a resilient, application-aware defense is now, before the next wave of attacks arrives.

Frequently Asked Questions (FAQ)

Why aren’t my traditional security tools (firewalls, WAFs, EDR) stopping these attacks? 

This is the critical gap most organizations are facing. Traditional security tools are designed to protect the network perimeter and standard endpoints. They are not built to understand the unique, proprietary language of business-critical applications. They can’t see malicious activity inside a trusted, authenticated SAP session, identify a zero-day exploit in Oracle EBS, or differentiate a legitimate user from an attacker who stole Salesforce credentials via vishing. These attacks bypass traditional defenses by targeting the application layer directly, which is a blind spot for most SOCs.

My team patches our SAP systems. Why isn’t that enough to stop these attacks?

 Patching is a critical, foundational practice, but it’s a race against time that defenders are often losing. As the article highlights, we’ve seen threat actors weaponize a new vulnerability in 72 hours, while organizations take an average of 97 days to test and deploy a patch. This “defender’s gap” leaves you exposed. Furthermore, patching doesn’t fix every risk. It doesn’t stop social engineering attacks (like the Salesforce vishing campaign), fix insecure custom code, or prevent attackers from exploiting system misconfigurations that aren’t covered by a specific patch.

What is the most critical first step our organization should take to understand our actual risk? 

The most critical first step is to get visibility. You can’t defend what you can’t see. The incidents in this article prove that most organizations were underprepared because they had a critical blind spot: the application layer. The first step is to perform a comprehensive assessment of your business-critical applications, not just your network. This means:

1. Assessing your systems for vulnerabilities, critical misconfigurations, and custom code flaws.
2. Defending these applications by integrating specialized threat detection into your SOC.
3. Controlling your application lifecycle to ensure all new code and transports are secure by default. A platform built specifically to do this, like The Onapsis Platform, is the most effective way to close this visibility gap and build a resilient defense.