Active Cyberattacks on Business-Critical SAP Applications

SAP and Onapsis partner to release new threat intelligence on active threats

Defend your Business-Critical SAP Applications from Active Threats

On April 6, Onapsis and SAP released a new threat intelligence report to help SAP customers protect from active cyber threats seeking to specifically target, identify and compromise organizations running unprotected SAP applications, through a variety of cyberattack vectors. SAP and Onapsis strongly advise organizations to take immediate action including swift application of the relevant SAP security patches and a thorough review of security configurations of their SAP landscapes, as well as performing a compromise assessment and forensic investigation of at-risk environments. 

The U.S. Department of Homeland Security’s CISA and Germany’s Federal Office for Information Security (BSI) have also developed and released alerts and notifications on this matter.

SAP promptly patched all of the critical vulnerabilities observed being exploited, and have made them available to customers for months, and years in some cases. Unfortunately, SAP and Onapsis continue to observe many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.

We highly encourage you to download the threat report to assess if you are at risk, and which actions to take immediately to protect your business. This report also details the specific techniques, tools and procedures (TTPs) observed by our experts, empowering defenders to respond to this activity as quickly as possible.

Some of the key findings in this threat intelligence report include:

  • Threat actors are active, capable and widespread
    Evidence of 300+ automated exploitations leveraging seven SAP-specific attack vectors and 100+ hands-on-keyboard sessions from a wide range of threat actors. Clear evidence of sophisticated domain knowledge, including the implementation of SAP patches post-compromise.
  • The window for defenders is small
    Critical SAP vulnerabilities being weaponized in less than 72 hours of a patch release and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.
  • Threats have both security and compliance impact
    Exploitation would lead to full control of unsecured SAP applications, bypassing common security and compliance controls, enabling attackers to steal sensitive information, perform financial fraud or disrupt business-critical business processes by deploying ransomware or stopping operations. Threats may also have significant regulatory compliance implications, including SOX, GDPR, CCPA and others.

What To Do Next


Onapsis experts will help you quickly identify your most critical and at-risk SAP applications, evaluate exposure against observed attacks and investigate your SAP applications for signs of compromise free of charge. Upon completion, we will provide you with a rapid assessment report that you can share with your executive leadership.

Request an assessment by filling the form.


Listen to a Q&A session with Richard Puckett, CISO at SAP and Mariano Nunez, CEO at Onapsis to discuss the key findings and actions to take to immediately protect your business.


Listen Now