A 210 per cent increase in the active exploitation of SAP vulnerabilities. Five critical flaws with a CVSS score of 10.0. Losses counted in the billions. 2025 delivered a brutal test of how organisations approach the security of their ERP systems - and demonstrated that those who treated cybersecurity as a cost are now paying considerably more.
INTRODUCTION: A YEAR OF TRANSFORMATION
When we published the first article of the year in the “Safe Tuesday with SNOK” series in January 2025, no one yet knew that the coming months would bring an unprecedented wave of attacks on SAP systems. Today, closing out the year with the thirty-first article in this series, we can look back on twelve months that have permanently changed the cybersecurity landscape for corporate systems.
Throughout the year, our team monitored threats, analysed vulnerabilities and supported clients in building resilience against attacks. At SNOK, we maintained the security of SAP environments for many of our clients, managing on average three to four SAP landscapes per organisation - dozens of development, test and production systems, along with companion solutions including Fiori platforms. Each of these systems required constant attention, because as 2025 demonstrated, attackers do not rest.
THE THREAT LANDSCAPE: NUMBERS THAT SHOULD CONCERN YOU
The Onapsis Research Labs report leaves no room for doubt - active exploitation of SAP vulnerabilities increased by 210% compared with the previous year. This is not an abstract statistic. Behind this figure lie real attacks on critical infrastructure: gas networks in the United Kingdom, water utilities and medical device manufacturers in the United States, ministries in Saudi Arabia. SAP has stopped being “too complex to attack” - it has become a priority target.
SecurityBridge recorded a 39 per cent increase in the number of SAP Security Notes - from 149 in 2024 to 207 in 2025. Among them, as many as 25 HotNews notes carried a CVSS rating of 9.0 or higher, including five with the maximum rating of 10.0. This means that, on average, a critical vulnerability requiring immediate action appeared every two weeks.
CVE-2025-31324: THE VULNERABILITY THAT DEFINED THE YEAR
April 2025 brought a discovery that shook the SAP community. CVE-2025-31324 - a vulnerability in the SAP NetWeaver Visual Composer component with a CVSS rating of 10.0 - was actively exploited as a zero-day even before a patch was released. An unauthenticated attacker could upload malicious files and gain full control over the system.
By the end of the year, the compromise of 581 SAP NetWeaver systems worldwide had been confirmed. Among the attackers, China-linked APT groups were identified - UNC5221, UNC5174, Chaya_004, Earth Lamia - along with ransomware operators: BianLian, RansomEXX and Qilin. In August, the ShinyHunters group published a functional exploit, democratising access to the attack.
A spectacular example of the consequences was the Jaguar Land Rover case. An attack exploiting the SAP zero-day paralysed production at British factories, with losses estimated at 1-2 billion pounds. For many organisations, this was a wake-up call - the belief that “this won’t happen to us” proved to be a costly illusion.
THE POLISH PERSPECTIVE: A YEAR OF REGULATION AND CHALLENGES
2025 was a year of regulation in Poland. The NIS2 Directive, the DORA regulation, the AI Act, and amendments to the National Cybersecurity System Act - each of these legislative instruments is changing the way organisations must approach the security of their IT systems, including SAP.
NIS2: FROM THOUSANDS TO TENS OF THOUSANDS OF ENTITIES
Although Poland missed the October deadline for transposing the NIS2 Directive, legislative work gained momentum towards the end of the year. The draft amendment to the National Cybersecurity System Act reached the Sejm in November, with adoption planned for the turn of 2025/2026. The scale of the changes is unprecedented - the regulation will cover between 38,000 and 80,000 entities, compared with only a few thousand organisations subject to obligations to date.
The penalties provided for in the Polish draft are among the harshest in Europe: up to EUR 10 million or 2% of revenue for key entities, and for managers - up to 600% of remuneration. This is a clear signal: cybersecurity is ceasing to be the domain of IT departments and becoming a board-level responsibility.
DORA: THE FINANCIAL SECTOR UNDER SCRUTINY
Since 17 January 2025, the DORA regulation has applied directly across the entire European Union. For banks, investment firms, insurers and their ICT service providers, this means new obligations regarding operational risk management, resilience testing and incident reporting. Penalties reach PLN 21 million for legal entities and PLN 3 million for board members.
In the context of SAP systems, DORA carries particular significance. ERP systems process financial data, manage transactions and support critical business processes. Their security is not merely an IT matter - it is the foundation of the operational resilience of financial institutions.
SNOK’S ACTIVITIES IN 2025: FROM THEORY TO PRACTICE
At SNOK, 2025 was a period of intensive project work. We delivered implementations addressing the most serious cybersecurity challenges - from protecting critical data, through securing large SAP HANA environments, to innovative projects combining artificial intelligence with automation.
“The biggest mistake is viewing SAP environment cybersecurity solely through the lens of roles and authorisations. Today, effective protection requires securing all layers of the architecture.” Jacek Bugajski, CEO of SNOK
SECURITYBRIDGE: THE FOUNDATION OF SAP SECURITY
The SecurityBridge platform remains a key tool in our arsenal. In 2025, we continued to maintain and support the implementation at Stock Spirits Group - a project that, from the very outset, demonstrated how quickly comprehensive protection can be built. Three weeks from launch to production, with the entire SAP security policy based on a single, integrated platform.
A new implementation was the launch of SecurityBridge at PKP Cargo - an organisation managing critical infrastructure in the railway sector. In the context of the upcoming NIS2 regulations and growing requirements for operators of essential services, this project carries strategic significance for the security of Polish transport.
SecurityBridge is today a platform securing more than 5,000 production SAP systems worldwide. Its research laboratory ranks third globally according to the SAP Security Response Team, having reported over 100 zero-day vulnerabilities. In 2025, SecurityBridge researchers discovered, among others, CVE-2025-42957 - a critical flaw in SAP S/4HANA with a CVSS rating of 9.9, actively exploited in production environments.
HARDENING A 16 TB SAP HANA ENVIRONMENT
One of the most demanding projects of the year was the comprehensive hardening of a 16 TB SAP HANA environment for a large public-sector client. This is one of the largest SAP HANA instances in Poland.
The project involved implementing full encryption of data at rest using the AES-256-CBC algorithm, configuring advanced auditing in line with the SAP Security Baseline Template 2.5, managing cryptographic keys, and network segmentation. A particular challenge was maintaining performance at such scale - we tested every change to ensure encryption overhead did not exceed an acceptable 2-5%.
“At environments of this scale, there is no room for compromise. Every architectural decision must balance security with performance, and every change requires precise planning.” Jaroslaw Kamil Zdanowski, Partner, Cybersecurity & SAP BASIS
ON-PREMISES AI: INNOVATION IN THE JUSTICE SECTOR
The project delivered at the Court of Appeal in Wrocław is an example of an innovative approach to deploying artificial intelligence in the public sector. Regulatory requirements - including the AI Act, which classifies AI systems in the justice sector as high-risk - together with the specific nature of the judicial data being processed, ruled out cloud-based solutions.
The answer was an on-premises deployment of UiPath Automation Suite, integrated with the Document Understanding component for processing legal documents. The whole system operates in an air-gapped environment, with no connection to the cloud, ensuring full control over the data and compliance with SCCO requirements.
“On-premises AI is the future for institutions processing sensitive data. Polish language models such as PLLuM and Bielik, available since February 2025, open up new possibilities for the public sector.” Michal Korzen, CTO, Enterprise & AI Architect
SECURE AUTOMATION IN PUBLIC ADMINISTRATION
In one ministry, we implemented a process automation solution with a full governance model, addressing NIS2 requirements and level-three SCCO standards. The project included configuring detailed role-based access control policies, immutable audit logs with retention in line with legal requirements, and secure credential storage integrated with external secrets management systems.
Automation in the public sector demands particular care. Every process robot acts on behalf of the institution, and its actions must be fully auditable and compliant with personal data protection regulations and access-to-public-information law.
SECURE CUSTOM DEVELOPMENT AT MEDICOVER
Medicover, with over 45,000 employees across nine countries, processes some of the most sensitive data - health information and employee HR records. The secure custom development project involved implementing static and dynamic code analysis, including the latest AI features that explain vulnerabilities and recommend fixes.
A key element was the implementation of a Quality Gate - a mechanism blocking the transport of code containing vulnerabilities into production environments. In the healthcare sector, where medical data is subject to special protection under GDPR, this level of control over in-house code is essential.
31 ARTICLES: A YEAR OF EDUCATION AND KNOWLEDGE SHARING
The “Safe Tuesday with SNOK” series is more than just monthly reviews of SAP Patch Day. In 2025, we published more than 30 expert articles, analysing the most important events and trends in SAP security. From a detailed analysis of CVE-2025-31324, through a review of the anatomy of the attack on Jaguar Land Rover, to practical guides for preparing for a security audit.
Every SAP Security Patch Day - from January to December - was analysed and described in detail by us, in language accessible both to technical specialists and to senior management. We wrote about SAP BTP security, about why traditional antivirus software does not see threats within SAP, about cybersecurity hygiene, and about how to talk about security so that the board actually listens.
An article on a zero-click vulnerability in Microsoft Copilot demonstrated that threats extend across the entire ecosystem - not just SAP systems. An analysis of a decade of attacks on SAP systems (2015-2025) provided the historical perspective necessary to understand the current situation. And a practical guide to UiPath in cybersecurity opened up a discussion on the role of automation in protecting against threats.
2026: WHAT LIES AHEAD?
The trends observed in 2025 will not slow down. Onapsis Research Labs warns that as little as 24 hours may pass between the disclosure of a vulnerability and the observation of scanning activity by attackers, and only 72 hours until a functional exploit becomes available. The window for response is shrinking dramatically.
In Poland, 2026 will bring the full entry into force of the legislation implementing NIS2. Organisations will have three months to register in the register of entities and six months to implement a security management system. For many companies, this is a revolution - not an evolution.
The AI Act comes into full application in August 2026. AI systems in critical infrastructure, the financial sector and the justice system will have to meet stringent requirements. For organisations using AI solutions within SAP environments, this means a necessary review of architecture and processes.
“In a time when cyber-attacks are already an everyday occurrence, it is critically important to secure critical SAP applications appropriately. Thanks to our partnership with SecurityBridge, our team of experts is able to fully secure SAP applications in a very short time.” Jacek Bugajski, CEO of SNOK
SECURITY IS A PROCESS, NOT A PRODUCT
2025 demonstrated with full force that SAP cybersecurity is not an option that can be deferred. Companies that put off security investments in January were, by December, counting their losses or - in the worst cases - dealing with the consequences of successful attacks.
At SNOK, we have spent years building competencies in the SAP field. Today those competencies - enriched by partnerships with SecurityBridge and UiPath, ISO 27001 and ISO 9001 certification, and experience from projects across the public and private sectors - enable us to support clients in building genuine resilience.
Security is a process, not a product. It is continuous monitoring, regular updates, ongoing education and readiness for a rapid response. It is also collaboration - with technology partners, with clients, and with the entire security community.
In 2026, the “Safe Tuesday with SNOK” series will continue. We will analyse new threats, comment on regulatory changes and share practical experience from our projects. Because in a world where attackers never rest, defenders cannot afford to either.
SNOK Sp. z o.o. is a Polish consulting firm whose team brings together 25+ years of combined experience in SAP technology. As an SAP Partner, and a partner of SecurityBridge and UiPath, we support organisations in building secure, efficient and resilient IT environments.
More information: snok.ai
document.getElementById(“page”).classList.add(“newLayout”);
Would you like to see this in practice, or discuss an implementation for your organisation? Get in touch - we will respond within 48 hours.