Executive Summary

In April 2025, Onapsis, government agencies and other leading cybersecurity firms reported on a broad, global attack campaign targeting SAP applications. While SAP responded promptly releasing new security patches, several waves of attacks led to the compromise of hundreds of vulnerable SAP systems in various industries and critical infrastructure organizations by multiple threat actor groups, including China-nexus threat actors and Russian-linked ransomware groups. These successful attacks led to full remote compromise of SAP applications, carrying significant operational, financial, regulatory and reputational risk for affected organizations.

Following this initial activity, cybercriminal group “Scattered LAPSUS$ Hunters” (ShinyHunters) released a public SAP exploit on August 15, 2025. This tool made it easier and “turnkey” for any attacker to remotely compromise vulnerable SAP systems, regardless of industry. Almost immediately, this exploit was leveraged by a multitude of different threat actors, opening up a Pandora’s Box of new attacks. Within recent weeks, Onapsis has observed a substantial uptick in attacks and at least four different threat clusters directly targeting SAP applications leveraging this exploit. As of Sept. 2025, reports of new victims started surfacing publicly.

SAP Vulnerability Reportedly Exploited, Leading to Operational Disruption and Data Breach at Global Manufacturer

In early September 2025, a large global manufacturer publicly disclosed that their operations had been disrupted by a cyber incident. After further investigation, the manufacturer subsequently confirmed data was breached. Various sources have also reported that government agencies are now involved. News reports note significant impact to the manufacturer’s operations – from production to supply chain to sales and operations. It has been reported that production facilities have been shut down, and plant workers were instructed to go home until further notice. As of the date of this document, multiple sources report that vital IT systems remain offline, overall business operations remain paralyzed, and the extended shutdown is expected to take weeks, if not longer, before business operations can recover. Additional reports note that this cyber attack has had ripple effects throughout the supply and value chains, affecting thousands of employees and various enterprises who do business with this manufacturer around the world. Several industry analysts have estimated losses for this manufacturer at $6.8 million per day.

News reports that the very same group behind the release of the SAP exploit (as well as high-profile attacks against retailers and Salesforce customers), “Scattered LAPSUS$ Hunters” (ShinyHunters), claimed responsibility for the attack and disclosed that they gained access to their victim by exploiting an SAP vulnerability.

Elevated Business Risk to Global Enterprises Across All Industries

As noted by the Onapsis Research Labs earlier this year, the risk for organizations with vulnerable SAP systems has always been high because exploitation of this type of vulnerability grants threat actors with completely unrestricted remote access to SAP business-critical data and processes, including the ability to exfiltrate, modify, or delete confidential and/or regulated information as well as disrupt operations. Exploitation bypasses traditional SAP security controls (such as user access and segregation of duties) and may leave no traces in standard SAP application audit logs.

While the business impact to affected organizations will vary based on their security controls and motive of a threat actor, it may include (but not be limited to) critical service disruption; ransomware; unauthorized business activity (e.g., modifying financial records or fraudulent payments); theft of confidential, sensitive, & regulated information (e.g., PII, customer, or materials data); lateral movement to other critical internal systems; and non-compliance with regulations such as SOX, GDPR, HIPAA, NERC, NIS2 and others.

As of September 11, 2025, the Onapsis Research Labs considers the risk to large organizations to be elevated for the following reasons:

1.  Advanced threat actors clearly have the knowledge, capabilities, and resources to effectively target and compromise vulnerable SAP applications with clear intent to disrupt business operations, deploy ransomware, or breach an organization. With exploits now publicly available, the barrier to entry for any potential or unsophisticated threat actor is lowered, which has led to the observed uptick in threat activity exploiting vulnerable SAP systems.
2. Across various engagements, Onapsis has observed numerous organizations with incomplete mitigation performed against these vulnerabilities, when initially disclosed in April/May, and/or having been compromised before patches were fully implemented. Many SAP systems have been discovered that still have active backdoors to this date.
3. Dozens of new vulnerabilities are patched by SAP every month. Many organizations still lack appropriate controls to ensure new critical issues are resolved promptly and efficiently, and active SAP threats can be detected and monitored in real time.

Immediate Recommended Actions to Protect Your Organization

1. Validate that critical security patches, especially SAP Security Note 3604119 (released on May 13, 2025) for CVE-2025-31324 and CVE-2025-42999 and those for related deserialization vulnerabilities (details), have been applied across all vulnerable SAP systems in your environment.
2. Perform an in-depth compromise assessment of potentially-impacted SAP systems. Onapsis, in partnership with Mandiant, released a whitebox open-source tool to support defenders on May 16, 2025, available on GitHub.
3. Implement SAP-endorsed, dedicated SAP application cybersecurity controls.