Skip to content

Safe Tuesday with SNOK: Analysis of Attacks on SAP Systems – A Decade of Threats (2015-2025)

Over the past decade, SAP systems have become one of the primary targets of advanced cyberattacks, exposing critical data and business processes to…

Over the past decade, SAP systems have become one of the primary targets of advanced cyberattacks, exposing critical data and business processes to significant risk [1][2][3]. More than 400,000 organisations worldwide, including 99 of the top 100 companies, rely on SAP solutions to manage their core business processes [4][5].

Article content

The Evolution of Attacks on SAP Systems (2015-2025)

Changing threats

Between 2015 and 2017, attacks on SAP systems focused mainly on exploiting basic vulnerabilities and weak passwords, with the time from patch release to exploitation reaching as long as a year [6][7]. Typical techniques of that period included brute-force attacks on high-privilege SAP accounts and the exploitation of unsecured customer and supplier portals [6][8].

Since 2018, we have observed a clear evolution towards more advanced attack techniques, including the use of exploit chains, which shortened the time to exploitation to just a few months [7][9].

A significant rise in the activity of APT (Advanced Persistent Threat) groups occurred between 2019 and 2021, when the time from patch release to exploitation shortened to just 72 hours [7][10][11].

Article content

The years 2022-2025 brought a genuine revolution in cyberattacks on SAP - we are seeing the use of artificial intelligence to automate attacks, “living-off-the-land” techniques, and the ability to compromise newly unsecured SAP systems in as little as 3 hours [12][10][7]. The most recent attacks are characterised by the use of zero-day exploits, as in the case of the critical vulnerability CVE-2025-31324 in SAP NetWeaver, which APT groups exploited to breach 581 systems worldwide [10][13][14].

Growing popularity among hackers

Interest in attacks on SAP systems increased by 490% in discussions on hacker forums between 2021 and 2023, indicating the growing appeal of these systems as attack targets [4][3][11]. The number of ransomware attacks targeting SAP systems has increased by 400% since 2021, making it one of the fastest-growing threats [11][4][3].

The popularity of attacks on SAP is also reflected in rising exploit prices - specialised firms now offer tens of thousands of dollars for remote code execution (RCE) vulnerabilities in SAP products [4][3][9]. On hacker forums, the number of discussions about SAP vulnerabilities and exploits increased by 490%, while conversations related to SAP cloud services and web applications rose by 220% between 2021 and 2023 [4][3].

Major APT Groups Targeting SAP Systems

Key actors and their origins

Attacks on SAP systems are carried out by advanced APT groups, dominated by groups backed by China and Russia [14][15][16]. The most active Chinese groups are UNC5221, CL-STA-0048, APT10 and UNC5174, which together breached more than 1,500 SAP systems worldwide in 2024 [14][16][17].

Article content

Russian groups such as FIN7, FIN13, Cobalt Spider and BianLian specialise in ransomware attacks and the theft of financial data from SAP systems [4][16].

Other significant groups attacking SAP systems include the North Korean Lazarus and Kimsuky, which focus on stealing financial assets and research data [18][8][15].

Attack techniques and targets

APT groups use advanced techniques such as vulnerability chaining, web shells and “living-off-the-land” tools to gain long-term access to SAP systems [10][19][15]. The most recent example is the exploitation of the CVE-2025-31324 vulnerability in SAP NetWeaver by several APT groups, which allowed code execution with administrator privileges and full control over the system [10][14][16].

The main targets of attacks are critical infrastructure, the energy sector, the financial sector, healthcare and government institutions, where SAP systems manage key business processes [14][17][10]. APT10 and CL-STA-0048 focus on stealing financial data and intellectual property, while FIN7 and BianLian specialise in ransomware attacks on SAP systems [14][4][10].

Types of Data Exposed to Attacks

The most vulnerable data

Analyses show that financial data (95% of attacks) and transactional data (92% of attacks) are the most exposed to attacks, making them the primary target for cybercriminals.

Article content

Customer information (88% of attacks) and employee data (82% of attacks) are also very frequently targeted due to their value for identity theft and phishing activities [20][21].

Corporate intellectual property, such as patents, product designs and market strategies, is targeted in 78% of cases and generates the highest average breach cost - 15.3 million USD per incident [20][22]. Operational data (75% of attacks) is targeted by attacks aimed at disrupting business operations, particularly in the case of critical infrastructure and supply chains [20][23].

Impact on business security

A breach of financial data in SAP systems has the highest business impact (9.8/10), which can lead to direct financial losses, fraud and non-compliance with regulations [24][25]. A breach of customer data has a business impact rated at 9.5/10 and can lead to serious legal consequences, particularly in the context of regulations such as GDPR [20][26].

Intellectual property is a particularly valuable target for state-sponsored APT groups, whose motivation is industrial espionage and the theft of trade secrets [27][26]. In the case of SAP systems, which often store and process enormous volumes of sensitive data, inadequate safeguards can lead to the compromise of the entire system and all data stored within it [6][20][28].

Costs of Attacks on SAP Systems

Financial consequences of breaches

The average cost of an SAP system breach is approximately 5 million USD, although this figure can rise significantly depending on the sector and scale of the attack [24][25][22]. In the banking sector, the average cost of an SAP system breach reaches as much as 18.37 million USD, and in the energy sector 17.84 million USD, making these the most costly incidents.

Article content

Research shows that organisations with fully implemented security automation incur an average breach cost of 2.45 million USD, compared to 6.03 million USD in organisations without automation [24][26]. These costs include breach detection, incident investigation, remediation and response management, as well as financial losses resulting from business disruption [24][29][25].

Long-term consequences for organisations

In addition to direct financial costs, attacks on SAP systems lead to serious reputational consequences, the value of which is estimated at 12.8 million USD [24][22][25]. Organisations affected by ransomware attacks on SAP systems can experience prolonged business disruption - an example is Stoli Group, which declared bankruptcy in 2024 following a ransomware attack on its SAP systems [30][5][24].

Breaches of SAP systems often lead to regulatory non-compliance, resulting in additional penalties and costs associated with meeting regulatory requirements, estimated at 3.1 million USD [24][26][25]. Long-term consequences also include loss of customer trust, a decline in share value and increased insurance costs, which can affect an organisation for many years after an incident [24][22][29].

Current vulnerabilities and exploits

In 2024-2025 we are seeing an unprecedented increase in sophisticated attacks on SAP systems, exploiting new and critical vulnerabilities [10][31][32]. The most serious threat is the CVE-2025-31324 vulnerability in SAP NetWeaver Visual Composer, which allows unauthorised file uploads and code execution with administrator privileges [32][10][13].

This vulnerability was exploited by numerous APT and ransomware groups, including BianLian and RansomwEXX, as well as the Chinese group Chaya_004, resulting in the breach of more than 581 SAP systems worldwide [10][14][13]. Other critical vulnerabilities from 2024 include CVE-2024-41730 (CVSS score 9.8) in the SAP BusinessObjects Business Intelligence Platform and CVE-2024-29415 (CVSS score 9.1) in applications built using SAP Build Apps [31][33][34].

The evolution of hacker tactics

The latest trend is a drastic shortening of the time between patch release and exploitation - from months to just hours [7][35]. Contemporary attacks are characterised by the use of “living-off-the-land” techniques, where attackers use legitimate SAP tools to move around the system and avoid detection [19][32][10].

APT groups are demonstrating an increasingly deep familiarity with SAP environments, with advanced knowledge of internal components and system architectures [36][10][17]. Automation of attacks and the use of artificial intelligence to identify vulnerabilities in SAP code are becoming increasingly common among advanced attacker groups [12][10][4].

Recommendations and Conclusions

Strategies for securing SAP systems

Organisations should prioritise SAP security updates, particularly those marked as critical, and deploy them within 24 hours of release, in order to prevent the exploitation of known vulnerabilities [7][26][35]. Implementing automated SAP security monitoring tools can reduce the average breach cost by 58%, from 6.03 million USD to 2.45 million USD [24][26].

Applying the principle of least privilege, network segmentation and regular security audits are essential for minimising the risk of a successful attack on SAP systems [26][19][28]. Organisations should also implement specialist anti-malware solutions for SAP, since standard operating-system-level security tools do not protect against attacks on SAP applications [28][26][19].

Preparing for future threats

Given the growing interest in attacks on SAP, organisations must prepare incident response plans specific to SAP environments, in order to respond quickly to security breaches [26][25][19]. Awareness training for staff administering SAP systems and for end users is essential to reduce the risk of successful phishing and social engineering attacks [26][19][25].

Working with specialist SAP security partners, such as SecurityBridge or SNOK, can provide access to current threat intelligence and specialist expertise [37][19][26]. As attacks on SAP systems become increasingly sophisticated, organisations must adopt a proactive and comprehensive approach to SAP security, treating it as a critical element of their cybersecurity strategy [26][25][19].

It is worth explicitly highlighting the role of specialist tools, such as SecurityBridge, in the comprehensive protection of SAP environments. SecurityBridge is the first and only holistic, natively integrated security platform that enables real-time monitoring, detection and response to threats, while also providing support for incident management, compliance and security updates within the SAP ecosystem. This platform is particularly effective thanks to its integration with SIEM systems and advanced threat analysis algorithms, which allow only relevant alerts to be filtered and significantly reduce the costs of managing security data.

Working with a local partner such as SNOK, an SAP partner and official SecurityBridge partner, provides an additional layer of expert technical and business support. SNOK helps not only to implement and configure SecurityBridge according to an organisation’s specific needs, but also optimises security processes, minimising operational risk and the costs associated with managing security alerts. This enables companies to respond quickly to incidents, effectively deploy security patches, and maintain compliance with industry regulations.

In practice, this means that organisations using SecurityBridge - implemented and supported by SNOK - gain full control over the security of their SAP systems, can manage risk efficiently, and maintain business continuity even in the face of advanced cyber threats. This approach should be a key element of the security strategy for any company whose operations rely on SAP solutions.

Experts from SNOK’s SAP Cybersecurity department will continue to monitor the situation and regularly update threat analyses as part of the “Safe Tuesday with SNOK” series.

About SNOK’s SAP Cybersecurity Department

SNOK’s SAP Cybersecurity department brings together a team of highly qualified experts specialising in the security of SAP systems. Our analysts have many years of experience in threat identification, vulnerability analysis and developing protection strategies for organisations using SAP solutions worldwide.

Sources:

  1. https://www.mdpi.com/2079-9292/13/21/4153

  2. https://bmchealthservres.biomedcentral.com/articles/10.1186/s12913-024-11599-4

  3. https://www.enterprisesecuritytech.com/post/new-report-reveals-escalating-cyber-threats-to-sap-applications

  4. https://www.securityweek.com/sap-applications-increasingly-in-attacker-crosshairs-report-shows/

  5. https://cybersecuritynews.com/hackers-exploiting-sap-vulnerabilities/

  6. https://www.helpnetsecurity.com/2015/05/07/top-cyber-attack-vectors-for-critical-sap-systems/

  7. https://securityaffairs.com/116431/reports/sap-systems-under-attacks.html

  8. https://www.slideshare.net/slideshow/dmitry-gutsko/22591696

  9. https://socprime.com/blog/critical-sap-vulnerabilities-are-under-active-exploitation-in-ongoing-attacks-worldwide/

  10. https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html

  11. https://onapsis.com/blog/ransomware-attacks-on-sap-key-insights-from-our-fireside-chat-with-turnkey/

  12. https://securitybridge.com/blog/sap-security-ai-shifting-the-advantage/

  13. https://www.infosecurity-magazine.com/news/sap-netweaver-vulnerability/

  14. https://www.securityweek.com/ransomware-groups-chinese-apts-exploit-recent-sap-netweaver-flaws/

  15. https://socprime.com/blog/detect-chinese-attacks-exploiting-cve-2025-31324/

  16. https://www.linkedin.com/posts/ptechnology_cybersecurity-sap-apt-activity-7328391803282341888-fOGC

  17. https://industrialcyber.co/ransomware/eclecticiq-details-chinese-state-backed-hackers-launch-global-attacks-on-critical-infrastructure-via-sap-vulnerability/

  18. https://www.mdpi.com/2079-9292/11/24/4142

  19. https://securitybridge.com/blog/hunting-those-hiding-in-the-shadows/

  20. https://pathlock.com/protecting-sensitive-data-in-sap-and-other-critical-applications/

  21. https://ieeexplore.ieee.org/document/9527419/

  22. https://sapinsider.org/blogs/famous-sap-cybersecurity-incidents-and-how-to-avoid-similar-attacks/

  23. https://www.sap.com/poland/blogs/twelve-security-issues-for-evolving-factories

  24. https://explore.bowbridge.net/blog/cost-sap-cybersecurity-data-breach

  25. https://sapinsider.org/blogs/the-real-cost-of-sap-cybersecurity-breaches/

  26. https://www.asug.com/insights/researchers-warn-sap-customers-could-be-at-risk-from-cyberattacks

  27. https://global.ptsecurity.com/about/news/range-of-vulnerabilities-in-sap-products

  28. https://www.rsaconference.com/library/blog/know-these-hidden-sap-security-dangers-before-uploading-files

  29. https://securitybridge.com/blog/countering-data-breaches-an-urgent-call-for-action/

  30. https://onapsis.com/blog/sap-security-breach-cited-in-companys-bankruptcy/

  31. https://smartermsp.com/cybersecurity-threat-advisory-critical-sap-vulnerabilities/

  32. https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

  33. https://community.sap.com/t5/technology-blog-posts-by-members/sap-security-patch-day-october-2024/ba-p/13891655

  34. https://cybersecuritynews.com/sap-security-update/

  35. https://www.cpomagazine.com/cyber-security/hackers-exploit-known-sap-security-vulnerabilities-with-a-typical-cyber-attack-succeeding-in-record-time/

  36. https://www.cybersecuritydive.com/news/sap-netweaver-exploitation-second-wave/747661/

  37. https://community.sap.com/t5/technology-blog-posts-by-sap/new-attack-detection-patterns-released-for-sap-enterprise-threat-detection/ba-p/13996179

Get in touch