Top 5 SAP Security Risks & How to Mitigate Them

May 8, 2025

SAP Applications are the backbone of many large enterprises, handling critical processes like finance, treasury, supply chain, and human resources. This makes them prime targets for cyberattacks. Protecting these applications is paramount, yet the complexity and interconnectedness of SAP environments often present a massive attack surface.

Understanding common vulnerabilities and attack vectors is the first crucial step in fortifying your defenses. Let’s delve into the top 5 SAP security risks that your system might be facing today.

1. Missing SAP Security Patches: An Open Invitation to Attackers

SAP Applications run on top of a complex technology stack built from many components that need to be maintained and updated. SAP periodically releases security patches that address newly discovered security flaws, typically on the second Tuesday of every month (SAP Patch Day). Failing to apply these patches in a timely manner leaves known SAP security vulnerabilities wide open for exploitation. Attackers actively scan for unpatched systems, making them easy targets.

Risks of Delayed SAP Patching:

Unpatched systems are susceptible to a wide range of attacks, from denial-of-service (DoS) to Remote Command Execution and unauthorized access. Threat actors actively exploit these vulnerabilities. For example, CVE-2025-31324 was recently observed being actively exploited in the wild. Furthermore, critical discoveries like the SAPSprint Remote Code Execution vulnerability (CVE-2025-42937) highlight the dynamic nature of SAP threats and the urgent need for rapid patch application.

How to Improve SAP Patch Compliance:

Establish a clear process: Ensure your patch management process is properly communicated so critical patches do not come as a surprise to BASIS administrators.
Prioritize critically: Stay informed about the latest SAP security notes and prioritize their implementation based on CVSS scores. Keep an eye out for out-of-band security patches.
Audit regularly: Regularly audit your systems to identify missing patches and test your established patch management process.
Automate the process: Consider automated vulnerability management solutions like Onapsis Assess to streamline the discovery and prioritization process.

2. The Danger of Default Credentials: A Hacker’s Best Friend

Many SAP components and even custom applications come with default usernames and passwords. While intended for initial setup, these credentials, if left unchanged, are widely known and can be easily exploited by malicious actors. Standard users affect SAP Applications running on top of both the SAP NetWeaver Application Server ABAP and Java.

The Risk of Default Credentials

Default credentials provide a straightforward entry point for unauthorized access, allowing attackers to gain control over critical system functions and sensitive data. Some emergency access mechanisms in SAP can involve known usernames and passwords.

How to Eliminate SAP Default Credential Vulnerabilities:

Change immediately: Immediately change all default passwords during the initial system setup.
Block standard users: Block default accounts if they are not used or required by any existing internal process.
Implement MFA: Deploy multi-factor authentication (MFA) for an added layer of security.
Review accounts: Regularly review user accounts and permissions, removing or disabling unnecessary accounts. SAP provides a standard report (RSUSR003) to review the status of known standard users across all clients.

3. Vulnerabilities in custom code (i.e. SQL Injection Attacks)

SAP Applications are typically customized, to map an organization’s processes to standard SAP Applications. In the process, developers can introduce different types of security vulnerabilities, such as injection flaws or missing authorizations checks. A very well-known type of vulnerability in this space is called SQL injection, which is a web application vulnerability. Attackers can insert malicious SQL code into input fields, potentially allowing them to bypass security controls, access, modify, or even delete data within the underlying database.

Risks from SAP Custom Code Vulnerabilities:

Attackers can exploit software vulnerabilities affecting custom code across SAP Applications, potentially leading to a complete system compromise. In the case of a successful SQL injection attack, it can lead to severe data breaches, financial losses, and reputational damage.

Best Practices for Securing SAP Custom Code:

Secure coding practices: Implement secure coding practices, including input validation and parameterized queries, in all custom ABAP and web applications interacting with the SAP database.
Continuous testing: Regularly perform code reviews and vulnerability scanning for all known types of flaws using automated Application Security Testing (AST).
Educate developers: Train developers on secure coding principles specific to ABAP.
Shift left: Integrate secure development practices directly into your software development processes (DevSecOps) to prevent the introduction of vulnerabilities before they reach production.

4. Insufficient Authorization and Access Controls: The Insider Threat and Beyond

Granular authorization concepts are fundamental to running complex and critical business applications, and this is also true for SAP Applications. However, poorly configured roles and permissions can lead to users having access to functionalities and data that are beyond their job responsibilities. This not only increases the risk of internal fraud and errors but can also be exploited by external attackers who manage to compromise widely privileged accounts.

Access Control Risks in SAP Systems:

Insufficient access controls can lead to unauthorized data access, modification, or deletion, as well as the execution of critical system functions by unauthorized individuals.

How to Enforce SAP Authorization Best Practices:

Principle of Least Privilege: Grant users only the necessary authorizations required to perform their specific tasks.
Regular audits: Continually review and audit user roles and permissions.
Control emergency access: Ensure emergency and temporary access is properly defined and implemented so any request can be properly approved, logged, and audited.
Implement SoD: Enforce Segregation of Duties (SoD) to prevent conflicts of interest and reduce the risk of fraud.

5. Lack of Change Management Security

SAP transport management is the process of moving changes (configurations, custom code, etc.) across different systems in your SAP landscape (e.g., development, testing, production). If this process isn’t properly defined incorporating security, malicious changes could be introduced into the production environment, potentially causing significant disruption and security breaches.

Risks of Poor or Absent SAP Change Management:

Malicious changes could be imported into production, enabling potential attacks to the business, including financial fraud.

How to Secure SAP Transport and Change Processes:

Secure directories: Protect transport directories and file systems with appropriate access controls.
Robust approvals: Implement a strict change management process with proper approvals and unalterable audit trails.
Automate checks: Automate security and compliance checks on all objects being transported through the change management pipeline before they are released to production.

Protecting Your Crown Jewels

Securing your SAP system is not a one-off event but an ongoing process, requiring vigilance, a proactive approach, and a deep understanding of potential threats. Regardless whether you are part of an organization with a mature SAP Security process, or just taking your first steps, by addressing these top 5 security risks and implementing the recommended actionable steps, you can significantly strengthen your SAP environment and safeguard your organization’s most critical assets.

Finally, ensuring your BASIS administrators and SAP teams have a solid understanding of security risks and threats is key to maintaining a secure SAP landscape. You can continue educating your users about cybersecurity threats and best practices through the recently released Cybersecurity for SAP | Book and E-Book – by SAP PRESS.

Frequently Asked Questions About SAP Security Risks

What are the biggest SAP security risks today?

The top SAP security risks include misconfigurations, unpatched vulnerabilities, excessive user privileges, insecure custom code, and weak integration controls.

Why is patching so critical in SAP environments?

Unpatched SAP systems are a top attack vector. Threat actors often exploit known vulnerabilities before organizations apply fixes.

How can I assess whether my SAP system is exposed to these risks?

Conduct regular vulnerability assessments and configuration reviews using specialized SAP security tools like Onapsis Assess.

What role does user access play in SAP risk?

Improperly managed access can lead to privilege escalation or internal abuse. Implementing role-based access control is essential.

Is custom code a real security threat in SAP systems?

Yes. Insecure custom code can introduce hidden vulnerabilities. Routine code reviews and automated scanning help mitigate this risk.

Can third-party integrations compromise SAP security?

Yes. Poorly secured integrations can become entry points. Validate all interfaces and secure them with proper authentication and encryption.

What is the best way to stay ahead of new SAP threats?

Follow SAP patch releases closely, subscribe to threat intelligence updates (like those from Onapsis), and ensure regular security testing.

How does Onapsis help mitigate SAP security risks?

Onapsis provides automated vulnerability management, compliance monitoring, and threat detection purpose-built for SAP environments.

Are these risks relevant to SAP S/4HANA too?

Absolutely. While S/4HANA introduces improvements, it also inherits risks from legacy systems. A security-first approach remains essential.

How often should SAP systems undergo security assessments?

Quarterly assessments are a recommended minimum. High-risk or internet-facing systems may require more frequent reviews.

TagsDefend, Detection and Response, Onapsis Research Labs, s/4hana, SAP, SAP Security, vulnerability management

About the Author

JP Perez-Etchegoyen

As CTO, JP leads the innovation team that keeps Onapsis on the cutting edge of the Business-Critical Application Security market, addressing some of the most complex problems that organizations are currently facing while managing and securing their ERP landscapes. JP helps manage the development of new products as well as support the ERP cybersecurity research efforts that have garnered critical acclaim for the Onapsis Research Labs. JP is regularly invited to speak and host trainings at global industry conferences, including Black Hat, HackInTheBox, AppSec, Troopers, Oracle OpenWorld and SAP TechEd, and is a founding member of the Cloud Security Alliance (CSA) Cloud ERP Working Group. Over his professional career, JP has led many Information Security consultancy projects for some of the world’s biggest companies around the globe in the fields of penetration and web application testing, vulnerability research, cybersecurity infosec auditing/standards, vulnerability research and more.

More about this author

Back To Blog

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing Your Future: Preparing for a Successful SAP RISE Transformation

Executive Threat Overview: Reported SAP Cyber Attack Severely Impacts Business Operations, Compromises Data at Global Manufacturer

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

10 Reasons Why More Companies Choose Onapsis