Mandiant M-Trends 2026 Highlights SAP as a Top Target

For years, the cybersecurity industry has treated Enterprise Resource Planning (ERP) security as a niche operational issue. Security teams focused heavily on endpoint detection and network perimeters, often leaving the business-critical application layer in a dangerous blind spot.

The newly released Mandiant M-Trends 2026 report shatters that paradigm.

Based on data collected from more than 500,000 hours of frontline incident response engagements, the report provides indisputable proof that advanced threat actors are not just probing ERP systems; they are actively and successfully exploiting them at scale.

SAP is becoming a Top Target

When analyzing how threat actors break into organizations, Mandiant found that exploits were the most frequently observed initial infection vector for the sixth consecutive year. In 2025, exploits accounted for 32% of all intrusions where an initial vector could be identified.

However, the most alarming data point for ERP customers is the specific target of those exploits. According to the report, the most frequently exploited vulnerabilities in 2025 were zero-days affecting internet-facing web application servers. Featured prominently at the top of Mandiant’s list of most frequently exploited vulnerabilities is SAP NetWeaver (CVE-2025-31324).

This vulnerability in the SAP NetWeaver Visual Composer component allows unauthenticated attackers to achieve remote code execution, granting them a powerful beachhead directly into the financial and operational core of the targeted organizations.

The Shrinking Weaponization Window

The M-Trends report also highlights how rapidly threat actors weaponize SAP vulnerabilities. The days of having weeks or months to apply a security patch are over.

Mandiant and the Google Threat Intelligence Group (GTIG) observed at least four separate threat clusters exploiting CVE-2025-31324 as a zero-day in early 2025. To address this widespread exploitation, SAP issued an emergency out-of-band release on April 24, which was fully detailed in the May 2025 Patch Day.

Once the patch was made public, the situation escalated. Rather than closing the window, the patch release signaled an opportunity for other attackers. GTIG tracked six additional threat clusters immediately exploiting the vulnerability as an n-day. These groups, which included suspected state-sponsored cyber espionage clusters, used the SAP vulnerability to deploy web shells, establish persistent backdoors, and conduct stealthy network reconnaissance.

This data proves that relying solely on a traditional, monthly patch cycle is no longer a viable defense strategy for business-critical applications.

A Global Impact: Regional Exploitation Trends

The active exploitation of CVE-2025-31324 was a worldwide phenomenon. Mandiant tracked this activity as a major “Global Event” across its incident response engagements, with specific regional breakouts highlighting how different threat clusters utilized the vulnerability.

In the Europe, Middle East, and Africa (EMEA) region, Mandiant investigated incidents involving two distinct activity clusters that exploited the vulnerability as a zero-day. In these cases, the threat actors primarily focused on establishing an initial foothold by dropping the JSPKIT web shell into the compromised environments.

Meanwhile, in the Japan and Asia Pacific (JAPAC) region, attackers aggressively targeted the flaw after the official patch was released. Mandiant identified a suspected PRC-nexus cyber espionage cluster using the exploit to send reconnaissance commands to web shells on vulnerable devices. A second threat cluster operating in the JAPAC region exploited the same n-day vulnerability to install the KRABDRIP downloader and conduct further network reconnaissance.

Shattering the Application Layer Blind Spot

Threat actors target internet-facing enterprise platforms because they provide centralized access to an organization’s financial data, internal documents, and business operations. Once inside, these platforms offer the perfect cover.

Because standard endpoint detection and response (EDR) tools and network monitors are rarely fluent in proprietary SAP application logs, attackers can operate undetected. The M-Trends report notes that adversaries frequently use these types of targets as a starting point to expand further into a compromised network.

Closing the Gap with Continuous Monitoring

The findings in the Mandiant M-Trends 2026 report validate the necessity of application-specific security tooling. To defend against the rapid weaponization of SAP vulnerabilities, organizations must transition from reactive patching to proactive, continuous monitoring.

Purpose-built platforms address this exact threat model:

• Vulnerability Management: Automated assessments continuously identify missing patches and application-layer misconfigurations before threat actors can exploit them as n-days.
• Threat Detection: By continuously monitoring SAP-specific application logs, security teams can detect the deployment of web shells and unauthorized reconnaissance activity in real time, alerting defenders before the attacker can move laterally.

The data is clear. Threat actors have made SAP a primary target. It is time for defenders to make it a primary focus.