The Year of the Zero-Day: Top SAP Vulnerabilities of 2025

December 18, 2025

the year 2025 against a digital background. 2025 is cracking representing the increase in SAP cyber attacks and threats.

In 2025, the SAP threat landscape shifted permanently. The year was defined by three critical realities: the massive NetWeaver Zero-Day (CVE-2025-31324), a surge in perfect-score deserialization flaws, and a shrinking window of defense where attackers weaponized exploits within hours of disclosure.

For security teams, the takeaway from 2025 is clear: traditional patching windows are no longer sufficient. With attackers actively deploying webshells and ransomware to shut down applications before patches can be tested, the strategy must shift from pure prevention to rapid threat detection.

Below is the executive summary of the specific vulnerabilities that defined the year, and the tactical steps required to secure your landscape for 2026.

Visualizing the Risk: The 2025 Vulnerability Heatmap

We have developed a brand new heatmap that visually represents the threat landscape based on severity and exploitability:

*Vulnerability*	*CVSS*	*Exploit Status*	*Affected Component*	*Attack Vector*	Business Impact
CVE-2025-31324	9.8	Actively exploited zero-day	SAP NetWeaver / Visual Composer	Unauthenticated file upload → RCE	Full system takeover; webshell; ransomware
CVE-2025-42999	9.1	Exploited in the wild	SAP Visual Composer	Arbitrary file upload	Persistence; lateral movement
CVE-2025-30012	10	High risk (weaponizable)	SAP Java components / SRM	Insecure deserialization → RCE	Complete Java stack compromise
S/4HANA Code Injection (Aug 2025)	9.9	Critical	SAP S/4HANA On-Prem / Private Cloud	Remote-enabled function module	Data manipulation; workflow hijacking
Solution Manager Code Injection	9.9	High likelihood	SAP Solution Manager	Missing input sanitization	Admin-level execution; RCE
SQL Anywhere Monitor Creds Issue	10	Critical	SQL Anywhere Monitor	Hard-coded credentials	Full tenant compromise
SRM File Handling Vulns	8.8	Exploitable	SAP SRM	File upload → overwrite	Supplier data manipulation; fraud risk
SAP GUI Client-Side Issues	7.5–9.0	Medium risk	SAP GUI	Crafted user interaction	Endpoint compromise; lateral movement
BO/BI Authorization Issues	8.5–9.5	High	SAP BusinessObjects	Insufficient auth checks	Unauthorized data access
SAProuter Misconfigurations	Varies	Actively targeted	SAProuter	Weak ACLs / public exposure	Landscape entry point

The 2025 SAP Vulnerability Heatmap, categorizing the year’s most critical risks by severity and attack vector.

The NetWeaver Crisis: CVE-2025-31324 & CVE-2025-42999

The most significant event of the year was undoubtedly the zero-day affecting SAP NetWeaver, specifically the SAP Visual Composer component.

The Threat (CVE-2025-31324): This zero-day vulnerability allowed unauthenticated attackers to upload arbitrary files, leading to immediate full system compromise and Remote Code Execution (RCE).
The Business Impact: The consequences are severe. Attackers gaining “adm” privileges could access the SAP system database, manipulate data, shut down applications, or deploy ransomware.
Active Exploitation: Onapsis Research Labs observed exploitation in the wild almost immediately. Attackers rapidly deployed webshells to maintain persistence, proving that perimeter defenses were insufficient.
The Root Cause Fix (CVE-2025-42999): Following forensic analysis by Onapsis Research Labs, SAP issued Security Note 3604119 on May 13, 2025. This patch fixed the underlying flaw that enabled the initial zero-day. Despite being a follow-up patch, it was rated Critical (CVSS 9.1) and added to CISA’s Known Exploited Vulnerabilities catalog.

Recommendation: Onapsis strongly recommends applying SAP Security Note 3604119 even if you implemented earlier mitigations, as it addresses residual risk that attackers are still targeting.

The Hidden Danger: Deserialization Flaws (CVE-2025-30012)

Identified in our mid-year analysis, CVE-2025-30012 was a critical deserialization vulnerability with a perfect CVSS score of 10.0.

Target: This flaw primarily impacted systems like SAP Supplier Relationship Management (SRM).
Why it Matters: Deserialization vulnerabilities are insidious. They allow Remote Code Execution if untrusted data is processed without validation. Onapsis Research Labs highlighted this class of bug as a “major hidden danger” underlying many of 2025’s worst issues.

August Patch Day: S/4HANA Code Injection

The summer brought no relief. In August 2025, Onapsis flagged two new “HotNews” vulnerabilities affecting SAP S/4HANA (On-Premise / Private Cloud).

The Flaw: A remote-enabled function module allowed arbitrary code injection, putting the digital core at risk.
Broader Impact: A related note covered customers using the Data Migration Server (DMIS) add-on. This meant that both modern S/4HANA environments and older SAP ECC-based setups were equally at risk of full system compromise.

November Patch Day: High-Severity Flaws End the Year

As the year closed, the November 2025 Patch Day introduced several critical fixes, proving that the threat landscape remains volatile.

SQL Anywhere Monitor (CVSS 10.0): A “HotNews” fix addressed hard-coded credentials and insecure key management, an issue that could allow arbitrary code execution.
SAP Solution Manager (CVSS 9.9): Security Note #3668705 addressed a code-injection vulnerability in Solution Manager caused by missing input sanitization in a remote-enabled module.

Analysis: Why 2025 Was a Critical Year for SAP Security

The data tells a stark story. In the first half of 2025 alone, there were 27 High-Priority SAP Security Notes (average CVSS ~8.2) and 14 “HotNews” notes (average CVSS ~9.8).

Three trends defined the year:

Structural Risk: The prevalence of insecure deserialization across multiple components underscores a systemic risk in Java-based SAP components.
Velocity of Attacks: The speed of exploitation was alarming. Onapsis observed active attacks shortly after disclosure, including webshell deployment and the reuse of compromised systems by second-wave threat actors.
Business Impact: These were not just IT problems; they were business risks. Unpatched systems faced unauthorized access, data breaches, and potential ransomware sabotage.

Key Takeaways & Recommendations

Don’t ignore deserialization vulnerabilities. Even “routine” patch days often included deserialization flaws with top severity (e.g., CVE-2025-30012).
Patch quickly and comprehensively. The gap between disclosure and exploitation was short (hours to days), especially for zero-days like CVE-2025-31324.
Monitor for post-exploit artifacts. Webshells and follow-on attacks (reuse, pivoting, ransomware) were observed by Onapsis. Remediation must include detection, not just patching.
Audit legacy and add-on modules. Many vulnerabilities (e.g., SRM, Solution Manager, SQL Anywhere Monitor) impacted legacy or less-commonly reviewed SAP modules — ensure full coverage, not just core ECC/S/4HANA.
Collaborate with threat-intel & incident-response vendors. Onapsis (with partners like Mandiant) released open-source scanners and IoC tools, integrating those into your security toolkit can improve detection and response speed.

Frequently Asked Questions: The 2025 SAP Threat Landscape

What was the most critical SAP vulnerability of 2025?

The most critical vulnerability was the NetWeaver Zero-Day (CVE-2025-31324). It received a CVSS score of 9.8 because it allowed unauthenticated attackers to upload files and execute code remotely. Onapsis Research Labs observed attackers exploiting this in the wild almost immediately to deploy webshells and ransomware.

Why are deserialization vulnerabilities considered a “hidden danger”?

Deserialization flaws (like CVE-2025-30012) are dangerous because they often allow for full system compromise (Remote Code Execution) without requiring valid user credentials. In 2025, these flaws received perfect CVSS 10.0 scores because they attack the core Java stack, often bypassing standard perimeter defenses.

How quickly do attackers exploit new SAP vulnerabilities?

The window for defense has shrunk to hours. In 2025, Onapsis observed attackers weaponizing exploits for vulnerabilities like the NetWeaver Zero-Day almost immediately after disclosure. This proves that the traditional “monthly patching cycle” is no longer fast enough to prevent a breach.

Are legacy SAP systems still a security risk?

Yes. Major vulnerabilities in 2025 targeted legacy components like SAP Visual Composer and Solution Manager. Attackers target these “forgotten” assets because they are often less monitored than the core S/4HANA environment, providing an easy entry point for lateral movement.

What is the “Structural Risk” mentioned in the 2025 report?

Structural risk refers to the systemic prevalence of insecure coding patterns, specifically insecure deserialization, across the SAP landscape. This isn’t just a single bug; it is a recurring weakness in Java-based components that consistently generates high-severity vulnerabilities.

TagsOnapsis Research Labs, SAP Security Notes, SAP vulnerabilities

About the Author

Virginia Satrom Peterson

VP, Growth Marketing

Virginia Satrom Peterson is a strategic leader in the cybersecurity space, specializing in the intersection of business-critical application security and digital transformation. At Onapsis, she focuses on translating complex SAP threat intelligence into actionable insights for enterprise leaders. By bridging the gap between technical security operations and business stakeholders, Virginia helps organizations understand the urgency of protecting their core ERP landscapes from evolving cyber threats.

More about this author

Back To Blog

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing Your Future: Preparing for a Successful SAP RISE Transformation

Executive Threat Overview: Reported SAP Cyber Attack Severely Impacts Business Operations, Compromises Data at Global Manufacturer

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

10 Reasons Why More Companies Choose Onapsis