Prevent Threats with Onapsis Threat Research

Onapsis Threat Research Hero

Onapsis comprises a premiere team of security experts.

We use our extensive knowledge of critical ERP applications and years of experience in threat research to provide valuable security insights and threat intelligence. We focus on safeguarding crucial business applications from companies like SAP, Oracle, and SaaS providers. Among research teams, Onapsis is the foremost contributor of vulnerability research to the SAP Product Security Response Team, making us unmatched in our field.

Review Our Research

Onapsis Research Labs

The Onapsis Research Labs continuously finds security threats for SAP and Oracle EBS. They warn you about these risks to your business. A team that looks for new threats is crucial to inform you about the latest dangers. They tell you about these threats and advice on how to stay safe, even for vulnerabilities that others don’t know about yet. This way, you’re protected while the ERP vendor fixes the issue.

LEARN ABOUT OUR LAB
Onapsis Threat Research Labs

CVE-2025-31324 ZERO-DAY

On April 24, 2025, SAP released an emergency patch for a CVSS 10.0 zero-day vulnerability that affects SAP Visual Composer, an optional but broadly installed component present in 50-70% of SAP Java systems worldwide.

This vulnerability is actively being exploited in the wild, as noted by Onapsis Threat Intelligence and multiple IR firms and security researchers. It was first publicly reported by ReliaQuest. 

Read our resource page to learn more about the threat and potential business impact of this critical zero-day vulnerability:

  • Details about the CVE-2025-31324 vulnerability.
  • Reporting on active exploitation in the wild and observations from Onapsis Research Labs.
  • How to determine if you’ve been exploited.
  • Recommendations on how to patch or mitigate this vulnerability in your essential SAP systems.

READ MORE

CH4TTER

Discover the sharp increase in ransomware incidents involving compromised SAP systems and the need for better cybersecurity measures.

Onapsis and Flashpoint have joined forces to level the playfield, revealing how threat actors are attacking SAP applications. CH4TTER report covers:

  • Since 2021, research demonstrates a 400% increase in ransomware incidents that involved compromising SAP systems and data at victim’s organizations.
  • Active threat community posts incorporating SAP-specific cloud and web services have increased 220% from 2021- 2023.
  • Conversations on SAP vulnerabilities and exploits have increased 490% across open, deep, and dark web from 2021-2023.

DOWNLOAD THE REPORT

C2 Incident on SAP

Onapsis Research Labs observed and analyzed malicious activity detected though our global threat intelligence cloud. A system running SAP was compromised and turned into a command and control bot by injecting a malicious file via an SAP vulnerability. The C2 incident initiated a distributed denial of service attack involving Cloudflare.

This paper reviews details of this attack including:

  • Source IP addresses
  • The malicious file,
  • The installation of midnight commander,
  • Cover the commands that were executed on the host system

DOWNLOAD THE REPORT

P4CHAINS

After months of research, Pablo Artuso and Yvan Genuer from Onapsis found vulnerabilities named ‘P4CHAINS’.

Read the complete threat report to learn more about their findings:

  • Details about the P4CHAINS vulnerabilities.
  • The possible adverse effects on businesses if these vulnerabilities are exploited.
  • Suggestions for safeguarding your essential SAP systems.
  • Recent findings on the increased impact of chaining vulnerabilities.

DOWNLOAD THE REPORT

ICMAD

Onapsis Research Labs spent a year investigating HTTP Response Smuggling, and discovering ICMAD vulnerabilities. The threat report explains:

  • The three ICMAD vulnerabilities
  • How exploiting these vulnerabilities can harm your business
  • Suggestions to safeguard your important SAP systems
  • Recent findings about HTTP Response Smuggling methods.

DOWNLOAD THE REPORT

RECON

The RECON (Remotely Exploitable Code On NetWeaver) vulnerability has a CVSS score of 10 out of 10 and can potentially be exploited impacting the confidentiality, integrity and availability of mission-critical SAP applications. The threat report details:

  • How the RECON vulnerability poses risk to SAP customers
  • Details on the the potential cybersecurity and compliance impact of RECON
  • How to protect your SAP landscape and your organization

DOWNLOAD THE REPORT

10KBLAZE

In 2019, several new exploits targeting SAP applications were released in a public forum—named 10KBLAZE. Although the exploits target insecure configurations that have been reported by SAP and Onapsis, their public release significantly increased the risk of successful cyberattacks against SAP landscapes. This threat report describes:

  • Proprietary intelligence around the 10KBLAZE exploit
  • How to determine if your organization is at risk
  • Steps to remediate risk to your SAP landscape

DOWNLOAD THE REPORT

Threat Research Resources

The Onapsis Threat Research Labs offers a variety of resources, including blogs, threat reports, webinars, and advisories.

See Our Resources