SAP’s Hectic Six Months of Patching

Cybersecurity specialists and SAP teams have been having a busy year. According to a recent Onapsis blog, SAP issued 27 high priority security notes, which averaged a CVSS score of 8.2, and 14 HotNews posts with an average CVSS score of 9.8. This represents an increase in the number of key vulnerabilities being reported and which SAP customers have had to parse, evaluate, and patch during the first six months of 2025.

Off Cycle Incidents and Critical Vulnerabilities

SAP routinely releases patches on the second Tuesday of each month. This normally consists of between 12 and 20 Notes, although the priority of these fixes varies. In a normal month most of the patches are for medium or low priority issues. This year, there have been several high-profile security incidents that were announced outside of the normal patching cycle, some of which were already under active exploitation at the time they were released. The increase in threat actors targeting SAP systems, and the active exploitation of vulnerabilities, reveals an increasing sophistication in attacks and is something of which security teams protecting SAP systems need to be aware.

In addition to the increase is threats, several of the most recently announced vulnerabilities fall into a category known as insecure deserialization. This happens when untrusted data, typically malicious serialized data, is provided to an application and converted into an object without the normal validation steps occurring. This deserialized data can then be used to execute arbitrary code, manipulate data, or cause other harmful actions. Some of the ways in which this type of attack can be realized include remote code execution, data tampering, privilege escalation, or denial of service.

In the case of attacks on SAP systems, a vulnerability in SAP NetWeaver Application Server (AS) Java which had originally been patched in 2017 (CVE-2017-12637) was identified as being under active exploitation in March this year. Part of the challenge for SAP customers is that, while the issue had been patched by SAP in 2017, in some instances the vulnerability could persist even if the patch had been applied. With SAP NetWeaver AS Java often being internet facing, the issue was that the attacker could execute a GET statement to read arbitrary files using a path traversal methodology.

Although this issue is serious enough, the issue with the greatest impact was probably CVE-2025-31324. In this vulnerability a previously unknown issue in SAP Visual Composer allowed unauthenticated individuals to upload files which could immediately lead to a full compromise of the system. Unlike other issues, this vulnerability was already being actively exploited when it was first discovered, making it a zero-day exploitation.

Although SAP patched the vulnerability immediately, as well as providing directions on how to disable the functionality, in this instance patching the system would not do anything to prevent access to systems that had already been compromised. This makes it even more important for SAP customers to actively monitor systems to verify that, even when patches are applied, unusual behaviors are no longer occurring. In layman’s terms, shutting the gate after the horse has bolted does not return the horse.

What This Means for SAPinsiders

• Keeping up with patches and updates is not just necessary, it is critical. As more SAP systems are exposed to the internet, more previously unknown issues will be discovered. While these issues may not have been as serious when these systems were running entirely within the firewall, they can present huge vulnerabilities in cloud-based or internet-connected systems. This makes keeping up with patching more important than ever.
• Tasks like patching must be combined with other cybersecurity capabilities to effectively protect systems. No single cybersecurity technology, tool, or approach offers comprehensive security. Systems must be layered if they are to provide effective coverage. This is why patching is only part of the puzzle. Activities like monitoring, zero-trust networking, single sign-on, and multi-factor authentication all play their part in defending SAP systems. For organizations relying on just one approach or technology it is only a matter of time until a vulnerability becomes an actively exploited threat.
• Staying informed about new issues and vulnerabilities is vital. Threat intelligence feeds offer insight into newly discovered vulnerabilities in SAP systems. However, even if these are not being used, following updates from cybersecurity vendors such as Onapsis are a vital part of ensuring SAP systems are protected. Most security vendors have blogs which provide valuable information about threats. However this information is gathered, organizations that are uninformed are always more vulnerable than those that are informed.