2025 will go down in history as a turning point in how SAP system security is perceived. A zero-day vulnerability in the NetWeaver Visual Composer component (CVE-2025-31324), a global attack campaign run by groups linked to China and Russia, and hundreds of compromised organisations worldwide brutally reminded boards and CISOs that SAP has stopped being the “invisible back office” of the business – it has become target number one for advanced criminal groups and state actors. In 2026 we can no longer talk about enterprise information security without accounting for the business-application layer.
Why has SAP ended up in cybercriminals’ crosshairs?
The answer lies in a single figure: 77% of the world’s transactional turnover flows through SAP systems. We are talking about more than 400,000 organisations worldwide and annual B2B transactions exceeding $6 trillion within the SAP Business Network alone. This is not just finance and accounting – it also covers logistics, manufacturing, supply-chain management, HR and payroll, and the personal data of millions of employees and customers.
For attackers, breaching SAP means access to a complete picture of the enterprise – the ability to steal sensitive data, manipulate financial processes, paralyse production or extort a ransom. Unlike an attack on a single workstation, compromising an SAP system gives criminals immediate access to information of strategic business value.
Research by SAPinsider conducted between March and May 2025 shows that as many as 23% of organisations experienced a cybersecurity incident in the past year that directly affected their SAP environment. For the first time in three years of the survey, data exfiltration took first place among the biggest threats, overtaking ransomware. Third place went to connections with other systems and applications – growing concern around integration points in hybrid and multi-cloud environments.
“An SAP system is the digital backbone of the modern enterprise. Its compromise is not an IT department problem – it is the paralysis of the whole organisation and potential losses running into millions of złoty per day. That is why SAP security should be a boardroom conversation, not just a technical one” – emphasises Jacek Bugajski, CEO of SNOK.
The response window has shrunk to hours
One of the most alarming trends of 2025 was the dramatically increasing speed with which attackers exploit newly discovered vulnerabilities. Onapsis Research Labs researchers observed that only 24 hours elapse between the publication of a vulnerability and the first scans looking for vulnerable systems. Within 72 hours, a functional exploit is already available. In the case of the aforementioned NetWeaver Visual Composer zero-day, active attacks were detected almost immediately after the vulnerability was disclosed.
In August 2025 the situation deteriorated further when the criminal group ShinyHunters published a ready-made tool making it simple to compromise vulnerable SAP systems. From that point on, the barrier to entry for would-be attackers effectively disappeared – you no longer need to be a sophisticated hacker to carry out a successful attack.
Patches that decide survival
January 2026 brought another intense month of fixes. SAP published HotNews security notes covering, among other things, critical SQL injection vulnerabilities in the General Ledger module of S/4HANA and remote code execution in Wily Introscope Enterprise Manager. December 2025 closed with fourteen new notes, including three of critical severity affecting Solution Manager, Commerce Cloud and jConnect SDK.
The statistics for the whole of 2025 are alarming: the number of published security notes rose by 39% year on year, exceeding 200 entries. The share of the highest-severity notes (HotNews) increased by more than half. In the first half of the year SAP issued 27 high-priority notes with an average CVSS score of 8.2, and 14 HotNews notes with an average score exceeding 9.8.
For organisations operating in hybrid environments – combining on-premises installations, the RISE with SAP private cloud, the BTP platform and cloud solutions such as Commerce Cloud – the challenge is no longer patch deployment itself, but maintaining full visibility of the entire SAP landscape. Traditional maintenance windows planned a month in advance are no longer sufficient when attackers exploit a vulnerability the day after it is disclosed. HotNews notes now need to be treated like zero-day vulnerabilities – requiring an immediate response.
“Many of our clients operating in hybrid environments struggle with fragmented visibility. They have on-premises systems, cloud instances, partner integrations – and each of these elements may contain an unpatched vulnerability. Our role is to help them build a coherent picture of security across their entire SAP landscape” – explains Jarosław Kamil Zdanowski, Partner at SNOK.
The business dimension of a successful attack
The case of a global manufacturer in autumn 2025 showed how dramatic the consequences of a successful breach of an SAP environment can be. A six-week production shutdown, employees sent home, supply-chain disruptions felt by hundreds of partners and suppliers – estimated operational losses reached a billion pounds. Government agencies became involved in the investigation, and the effects of the incident were felt across the entire economy.
This is not an isolated case. IBM’s 2025 report puts the average global cost of a data breach at $4.44 million. For ERP systems, where even a brief outage means halting critical business processes, these figures rise much faster. One beverage company, which filed for bankruptcy in December 2024, explicitly named a two-month cyberattack on its SAP systems as one of the main factors leading to its collapse.
The regulatory dimension further complicates the picture. The NIS2 directive in the European Union and new SEC reporting requirements in the United States place organisations under an obligation to tightly control critical systems and rapidly report incidents. An SAP security incident therefore becomes not only an operational and financial problem, but also a legal and reputational one. Auditors are increasingly verifying compliance with the SAP Security Baseline and Secure Operations Map, and a lack of continuous monitoring can result in higher audit costs and more difficult conversations with regulators.
From reaction to prevention – the maturing security model
At SNOK we have observed a clear shift in our clients’ approach over the past two years. Conversations increasingly start with the question “how do we secure ourselves in advance?” rather than “what do we do after an attack?” This is a fundamental paradigm shift – moving from reactive firefighting to proactive risk management.
Together with clients we are building a mature SAP security model comprising several key elements. First, systematic patch management with prioritisation based on real risk and business context, not only CVSS scoring. Second, continuous configuration monitoring and detection of anomalous user behaviour. Third, integration of SAP security events with corporate security operations centres, so that SOC teams have a complete picture of the threats. Fourth, regular security audits and penetration testing targeted at the specifics of the SAP environment. Finally – educating boards and embedding SAP security into corporate risk-management frameworks.
“Proactive SAP security is now a necessity, not a luxury. Organisations that treat patch management as a key business metric rather than a technical obligation gain a genuine competitive advantage. The cost of prevention is many times lower than the cost of responding to an incident” – notes Dariusz Kurkiewicz, Team Leader of the Cybersec & SAP BASIS team at SNOK.
SecurityBridge – the foundation of modern SAP security
One of the pillars of our approach to securing SAP environments is the deployment of the SecurityBridge platform – a native solution operating directly within the SAP environment. Unlike external tools that analyse SAP from a network perspective, SecurityBridge has full insight into the processes occurring within the system and can detect threats invisible to traditional security solutions.
The platform offers comprehensive capabilities for real-time threat detection, vulnerability and patch-management, monitoring of permissions and user behaviour, and automation of regulatory-compliance processes. The patch-management module makes it possible to quickly identify missing patches across the entire SAP landscape and prioritise remediation. A built-in AI-powered code analyser helps developers detect and fix vulnerabilities in ABAP code before deployment to the production environment.
SecurityBridge integrates with popular SIEM platforms, including Microsoft Sentinel, giving SOC teams full visibility of SAP security events within the context of the organisation’s entire IT environment. Thanks to ready-made detection rules and a predefined security map, SNOK clients see a visible improvement in their security posture within the first few weeks of go-live – some doubling their security level in a very short time.
What will 2026 bring?
There is no reason to believe that pressure from attackers will ease. Quite the opposite – the growing availability of exploitation tools, the ever-shorter window between vulnerability disclosure and attack, and the evolution of criminal tactics towards data theft and extortion rather than simple encryption all point to a further escalation of threats.
Organisations must accept that SAP security is an integral part of corporate risk management, not solely the responsibility of the BASIS team or system administrators. Regular reviews of security notes, deployment of dedicated monitoring tools, development of SAP-specific incident-response plans, and collaboration with an experienced partner are today the standard expected by regulators and auditors – not a competitive advantage.
If you would like to learn more about our approach, carry out a security audit of your SAP environment, or find out more about the SecurityBridge platform – please get in touch with the SNOK team.
Want to see this in practice, or discuss an implementation for your company? Contact us – we respond within 48 hours.