The Onapsis Blog

The world of business-critical application security is dynamic, with new developments happening on a continuous basis. Check out our blog for recommendations, insights and observations on the latest news for securing your SAP®, Oracle® and Salesforce applications.

SAP Security: A Look Back at 2021 Highlights

SAP Security: A Look Back at 2021 Highlights

As 2021 draws to a close, Onapsis Research Labs shares a short summary of this year’s most important highlights relating to SAP security as well as a statistical analysis of this year’s SAP Patch Days. 

April 2021: Onapsis Research Labs provides evidence for malicious cyber activities targeting critical SAP applications

It seemed as though 2021 began uneventfully but behind the scenes, The Onapsis Research Labs was hard at work on a huge project. The results of those efforts were published in April.

The team set up an environment that exposed unpatched SAP systems to the internet and tracked suspicious activity against those systems. The results were published in a joint Threat Intelligence Report released by Onapsis and SAP.

The research revealed that threat actors have the motivation, means, and expertise to identify and exploit unprotected business-critical SAP applications. And they are actively doing so. Some key findings included:

  • Threat actors are active, capable, and widespread: Evidence of 300+ automated exploitations leveraging seven SAP-specific attack vectors and 100+ hands-on-keyboard sessions from a wide range of threat actors. It is clear that cyberattackers have sophisticated knowledge of business-critical applications. They are actively targeting and exploiting unsecured SAP applications through varied techniques, tools, and procedures.
  • The window for defenders is small: Critical SAP vulnerabilities are being weaponized within 72 hours of a patch release. New unprotected SAP applications provisioned in cloud (IaaS) environments are being discovered and compromised in less than three hours.
  • Threats have both security and compliance impact: Exploitation has dire consequences; it can lead to full control of unsecured SAP applications. Common security and compliance controls can be bypassed, enabling attackers to steal sensitive information, perform financial fraud, or disrupt business-critical enterprise processes. This can also be done by deploying ransomware or stopping operations. Threats can have significant regulatory compliance impacts, including SOX, GDPR, CCPA, and others. 
  • Ransomware protection is more than backups and endpoint security: Both are critical components of a solid security program, without a doubt. However, their presence can lull organizations into a false sense of security since gaps remain, especially for business-critical systems that are connected in more ways than ever before.

September 2021: SAP Patch Day with record breaking number of critical Security Notes

SAP released the impressive number of seven new HotNews Notes and two High Priority Notes on its September Patch Day. While one of the HotNews Notes was only a minor update of an older one, the remaining eight critical notes addressed new vulnerabilities in the following components:



SAP Security Note

Java Message Service Connector


3078609 - [CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)

SAP Knowledge Management


3081888 - [CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms)

SAP Visual Composer


3084487 - [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)

Near Zero Downtime (NZDT) Mapping Table framework


3089831 - [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework

SAP Contact Center


3073891 - [CVE-2021-33672] Multiple vulnerabilities in SAP Contact Center

SAP Business Client


2622660 - Security updates for the browser control Google Chromium delivered with SAP Business Client

SAP Web Dispatcher


3080567 - [CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher

SAP CommonCryptoLib


3051787 - [CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib

Onapsis Research Labs contributed to this remarkable number of critical patches by reporting the vulnerabilities fixed by notes #3081888, #3080567, and #3051787.

November 2021: U.S. Cybersecurity and Infrastructure Security Agency released Binding Operational Directive 22-01

On November 3, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities. This is a compulsory directive to federal and executive branches as well as departments and agencies. It is generally considered to be the minimum best practice for enterprises to also implement CISA recommendations.

The purpose of BOD 22-01 is to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents. These vulnerabilities are considered to pose significant risk to agencies and the federal enterprise. Vulnerabilities that have previously been used to exploit public and private organizations are frequent attack vectors for malicious cyber actors of all types.

SAP has already released Security Notes for all of the SAP related issues in the directive and it is important to note that all of the critical SAP vulnerabilities listed in the CISA catalog were identified as being exploited in the wild in the joint Threat Intelligence Report released by Onapsis and SAP. (See here for Onapsis Research Labs blog to help SAP Security administrators better understand how to review their SAP systems.)

December 2021: Log4j shakes the internet

On December 10, the IT world was shaken by the publication of a critical vulnerability in the widely used open source library Log4j. Researchers detected an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device completely. Quite a few IT security experts see it as the most serious vulnerability of all time. From that day on, a race has started between threat actors and IT security departments all over the world. 

The SAP security team immediately started to analyze which SAP applications were affected. The current status of this analysis is summarized in this document. On December 20 at 3:21 p.m. EST the document listed 78 applications that were already patched by SAP, 21 applications with a pending patch, and 296 applications that are not affected by the vulnerability. In order to get more detailed information about each patch, it’s worth searching periodically for Log4j in the SAP Portal. For the most up-to-date information from Onapsis regarding the Log4j vulnerability, please refer to our security advisory here. See additional Onapsis Research Labs threat intelligence about Log4j here.

SAP Patch Day Statistical Trends

The overall number of 185 SAP Security Notes in 2021 is very close to the all-time low of 179 notes in 2019. Thus, the indicated upward trend from 2020 did not continue. The latter fact also applies to the number of critical notes (considering HotNews Notes and High Priority Notes as “critical”). With 23 HotNews Notes and 34 High Priority Notes, these values are slightly above the 2019 and 2020 average numbers.


In 2021, The Onapsis Research Labs team contributed to detecting and patching a significant number of these published vulnerabilities:







Total Number in 2021






Onapsis Contribution







The year 2021 has shown that timely patching is absolutely key for not putting business applications and data at risk of compromise. More and more threat actors have sophisticated knowledge of business-critical applications and are actively targeting and exploiting unsecured SAP applications. Although SAP's September Patch Day came with a record-breaking number of critical notes, the number of released SAP security patches per year has not significantly changed over the past three years. The number has settled at a level that should allow every SAP customer to stay up to date with the required security patches. Nevertheless, SAP customers can expect a lot of additional work in the next few days and weeks as applying Log4j patches will keep them busy. Until now, these patches were not released in the context of SAP Patch Day.

Subscribe to our monthly Defender’s Digest newsletter for the latest in SAP security.

More 12 Days of AppsMas Blogs

More SAP Security Resources

Request a Demo from Onapsis

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.

Request a demo