How the 2026 Verizon DBIR Highlights the Vulnerability Patching Paradox in SAP

By:

May 20, 2026

Each year, the security community pauses to digest the Verizon Data Breach Investigation Report. As the definitive, data-backed analysis of how real-world breaches occur, the report provides an invaluable reality check.

For those of us tasked with protecting the core business applications that run the global economy (specifically SAP and Oracle ERP systems) the Mandiant M-Trends Report released earlier combined with the latest DBIR delivers a stark, unmistakable warning.

A Milestone Collaboration: Onapsis Joins as a DBIR Contributor

For the first time in our history, Onapsis is proud to be named an official data contributor to the Verizon DBIR. For years, business-critical application security was treated as a separate silo from broader cybersecurity trends. By contributing our unique threat intelligence and ERP-specific telemetry to Verizon’s dataset, we are helping bridge this gap. Our involvement ensures that the risk profiles of enterprise backbones, like SAP NetWeaver, are represented in the industry’s most respected annual analysis, giving security leaders the hard data they need to justify securing their ERP cores.

This collaboration comes at a critical time. The DBIR data shows a dangerous convergence taking place: vulnerability exploitation is soaring, third-party risk has doubled, and the window of opportunity for attackers is shrinking to zero. At the center of this storm sits SAP NetWeaver. Long considered “back-office” infrastructure, NetWeaver is now firmly in the crosshairs of financially and politically motivated threat actors.

The Patching Paradox: Exploits in Hours, Patches in Months

Perhaps the most alarming trend in the latest DBIR data is the widening gap between exploitation speed and remediation reality.

  • The Attackers are Accelerating: Vulnerability exploitation has surged to become a primary initial access vector, accounting for nearly a third (31%) of all breaches. Attackers now routinely mass-exploit critical vulnerabilities within five days of public disclosure.
  • The Defenders are Worsening: Despite increased awareness, the median time-to-patch critical vulnerabilities has actually deteriorated, increasing from 32 days to 43 days (a 34% increase).

The SAP NetWeaver Reality Check

This “patching paradox” is magnified a hundredfold when it comes to ERP environments. SAP NetWeaver is the underlying application server framework for a massive portion of the world’s business applications. When a high-severity vulnerability is disclosed in SAP NetWeaver, the stakes are existential.

We saw this play out vividly with vulnerabilities like CVE-2025-31324 (a CVSS 10.0 vulnerability in the SAP NetWeaver Visual Composer Framework). Because of its critical nature and the potential for unauthenticated remote code execution, it was added to the CISA Known Exploited Vulnerabilities (KEV) catalog at record speed.

Our threat intelligence partners and Microsoft Threat Intelligence recently documented advanced persistent threat (APT) groups like Storm-1175 actively exploiting SAP NetWeaver vulnerabilities less than 24 hours after public disclosure to drop web shells and pave the path for Medusa ransomware.

Cyberattackers can breach an SAP system within 24 hours. However, the median organization takes 43 days to patch SAP vulnerabilities. This massive gap means your business is exposed long before you even deploy a fix. 

Manufacturing in the Crosshairs: A Doubling of Breaches

The manufacturing sector is undergoing an aggressive digital transformation (Industry 4.0), connecting legacy Operational Technology (OT) and shop floors directly to ERP backbones like SAP. The DBIR highlights how attackers have capitalized on this expanding attack surface:

  • Breaches Have Nearly Doubled: The manufacturing industry saw a massive spike in confirmed data breaches, doubling year-over-year.
  • The Rise of Malware: Malware actions were present in 75% of manufacturing breaches, up from a historic baseline of 40–50%. This is highly indicative of the sector’s struggle with ransomware and extortion.
  • A Surge in Espionage: While financial gain remains the top driver (87%), espionage-motivated attacks rose to 15% of manufacturing breaches. State-sponsored threat actors are actively hunting for proprietary intellectual property, blueprints, and supply chain data.

Why SAP NetWeaver is the Manufacturing Crown Jewel

In manufacturing, SAP NetWeaver is the heart of the operation. It manages inventory, routes supply chain orders, schedules production lines, and connects directly to Manufacturing Execution Systems (MES).

A breach of SAP NetWeaver in this sector is rarely a simple “data leak.” Because of NetWeaver’s integration, an attacker who gains access via a vulnerability or stolen credentials can:

  1. Halt Production: By deploying ransomware directly onto SAP application servers, attackers can freeze global operations, costing millions of dollars per hour in downtime.
  2. Exfiltrate Intellectual Property: State-sponsored actors exploiting unpatched NetWeaver systems can quietly extract proprietary formulas, CAD designs, and manufacturing processes directly from SAP databases.

According to the DBIR, hacking actions were involved in 71% of manufacturing breaches, with the use of stolen credentials and vulnerability exploitation each contributing to 41% of breaches within the sector. When weak credential hygiene meets unpatched NetWeaver systems, attackers can simply log in.

Retail under Extortion: Defending Continuity and Consumer Trust

For Retail organizations, business velocity and consumer trust are everything. The DBIR paints a grueling picture of the retail threat landscape, where ransomware and extortion have stayed center stage, and third-party risk is magnifying vulnerabilities.

  • Extortion and Ransomware Surge: Retailers experienced a massive spike in ransomware incidents, with threat actors targeting e-commerce engines, supply chains, and customer-facing interfaces.
  • Third-Party Risk Increased by 60%: Globally, the percentage of breaches involving a third-party relationship increased from 30% to 48%.

How This Lands on Retail SAP Landscapes

Modern retail relies on a highly interconnected SAP ecosystem. Your SAP NetWeaver-based applications are integrated with third-party logistics partners, payment processors, e-commerce platforms, and point-of-sale (POS) systems.

When the DBIR notes that third-party risk has doubled, it is directly pointing to the risk of API integrations, shared credentials, and interconnected systems.

  • If a retail partner’s system is compromised, or if a vulnerability in an SAP-connected web service is left unpatched, attackers can pivot into your SAP core.
  • Once inside, they can access cardholder data (PCI DSS), personally identifiable customer information (PII), or disrupt the pricing and inventory databases.

In retail, a single afternoon of downtime on Black Friday or during peak seasonal periods due to an ERP intrusion can result in irreparable reputational damage, customer churn, and massive market value loss.

What’s Next: Closing the Exploitation Gap

Traditional vulnerability management programs fail when it comes to SAP. Standard network scanners look at the perimeter, but they do not understand the complex, proprietary protocols (like SAP RFC, DIAG, or the NetWeaver gateway) that govern your business-critical core.

To defend against the trends outlined in the latest Verizon DBIR, organizations must transition from basic patching to an exposure-centric risk management approach. Onapsis recommends the following immediate actions:

1. Identify and Shield Internet-Facing SAP Assets

Attackers cannot exploit what they cannot reach. Use specialized discovery tools to map your entire SAP attack surface. If an SAP NetWeaver instance or an SAP Router is exposed to the public internet, ensure it is heavily shielded behind a secure web gateway and that multi-factor authentication (MFA) is strictly enforced.

2. Prioritize Vulnerabilities with ERP-Specific Threat Intelligence

Organizations cannot patch every vulnerability simultaneously. Traditional CVSS scores often fail to reflect the true risk of a flaw within a highly customized business context. Implementing continuous, threat-intelligence-driven vulnerability management enables security teams to prioritize which SAP NetWeaver security notes require immediate application based on active exploitation in the wild, replacing guesswork with data-backed risk assessment. 

3. Implement Continuous ERP Security Monitoring

With threat groups like Storm-1175 executing attacks in under 24 hours, static, monthly vulnerability scanning is no longer sufficient. Organizations require real-time threat detection and response capabilities designed specifically for the SAP application layer. Implementing continuous monitoring enables Security Operations Centers (SOC) to detect anomalies, unauthorized configuration changes, and brute-force attempts targeting NetWeaver before early-stage reconnaissance escalates into a full-scale breach. 

4. Mitigate Third-Party and Custom Code Risk

Because third-party risk has doubled, organizations must rigorously secure the code and transports entering the enterprise SAP environment. Strengthening SAP DevSecOps practices ensures that any custom ABAP code, SAP Business Technology Platform (BTP) integrations, or third-party add-ons are audited for security flaws and hardcoded credentials. By deploying automated SAP application security testing software, security teams can systematically inspect and block risky transports before they are ever imported into live production. 

Conclusion: Business Continuity is ERP Security

The 2026 Verizon DBIR provides undeniable proof of expanding enterprise security gaps. Threat actors are operating with unprecedented speed and coordination, deliberately targeting the core systems that trigger catastrophic operational failure upon disruption. 

In Manufacturing and Retail, that application is SAP.

It is time to pull SAP NetWeaver out of the functional IT silo and integrate it directly into your security operations center (SOC). Protecting the ERP layer is a mandatory requirement for preserving business continuity. 

To learn how Onapsis can help you secure your SAP landscape against the exact threats highlighted in the latest Verizon DBIR, schedule a custom threat assessment with our team today.

Frequently Asked Questions

What are the main SAP security takeaways from the 2026 Verizon DBIR? 

The 2026 Verizon DBIR highlights that vulnerability exploitation and ransomware are surging, making the protection of core ERP systems like SAP NetWeaver a critical business continuity requirement. Attackers are mass-exploiting vulnerabilities within days of disclosure, while organizations take a median of 43 days to apply patches. This “patching paradox” creates a massive exposure window for financial extortion and data theft.

Why is SAP NetWeaver heavily targeted in the manufacturing sector? 

SAP NetWeaver manages critical supply chain, inventory, and production data, making it a prime target for both financially motivated extortion and state-sponsored espionage. The DBIR notes that manufacturing breaches doubled this year, with hacking actions involved in 71% of incidents. Threat actors frequently leverage stolen credentials and unpatched flaws to freeze global operations or extract proprietary intellectual property.

How does third-party risk impact retail SAP environments?

 The 60% global surge in third-party breaches exposes highly interconnected retail SAP environments to lateral attacks originating from compromised vendors or APIs. Attackers exploit these trusted connections and shared credentials to bypass perimeter defenses. Once inside the SAP core, they can access point-of-sale data, customer PII, and e-commerce engines to execute high-pressure ransomware campaigns.

How can organizations close the exploitation gap for SAP vulnerabilities? 

Security teams must transition from static patching cycles to continuous, threat-intelligence-driven vulnerability management and real-time application monitoring. Utilizing ERP-specific threat intelligence allows organizations to prioritize critical SAP Security Notes based on active in-the-wild exploitation. Additionally, deploying automated DevSecOps testing secures custom code and third-party integrations before they enter the production environment.

Tags, ,
About the Author

Paul Laudanski

Director of Security Research

Paul Laudanski, Director of Security Research at Onapsis, brings to his role over twenty years of experience in cybersecurity, threat research and engineering, threat intelligence, and counterintelligence. Paul is also a member of the Onapsis Research Labs team and is dedicated to hunting down vulnerabilities within business critical applications which have helped to remediate over 1,000 zero day vulnerabilities within SAP and Oracle applications. Paul holds a BA in mathematics from Rider University and lives in Tacoma, Washington with his family.

More about this author
Back To Blog

Further Reading

Blog

Operationalizing DORA Compliance: Securing SAP Against the 5 Core Pillars

With the Digital Operational Resilience Act (DORA) in active enforcement, financial entities must transition from theoretical governance to technical execution. Integrating these stringent mandates into a comprehensive SAP GRC strategy is essential. Regulators require definitive proof that critical infrastructure, including enterprise SAP environments, can withstand and recover from severe cyber incidents. This technical guide dissects…

Read More
Blog

DORA Enforcement in 2026: What the Regulation Means for SAP Landscapes

The Digital Operational Resilience Act (DORA) fundamentally shifted the regulatory landscape for the European financial sector when active enforcement began in January 2025. Moving into 2026, regulators expect comprehensive, real-time evidence of operational resilience rather than theoretical governance. For organizations operating complex enterprise environments, aligning this framework with a broader SAP Governance, Risk, and Compliance…

Read More