ASUG News + Views
Threat Actors Are Tar­get­ing SAP. Are Cus­tomers Ready?
Luke Dean Feb 24, 2026
Bookmark
Share Article:

Down­load the full inter­view here.

For years, a pre­vail­ing assump­tion in the SAP ecosys­tem held that threat actors didn’t know enough about SAP to tar­get it direct­ly. That assump­tion took a seri­ous hit in 2025, when CVE-2025 – 31324 revealed a zero-day cam­paign involv­ing a pay­load spe­cial­ly craft­ed for SAP — one that required deep knowl­edge of SAP appli­ca­tions and Java dese­ri­al­iza­tion to build. It was, as Juan Perez-Etchegoyen describes it, the biggest myth buster” the com­mu­ni­ty has seen.

As CTO of Onap­sis, a posi­tion he has held for near­ly 15 years, Perez-Etchegoyen over­sees the company’s secu­ri­ty research efforts, work­ing close­ly with the Onap­sis Research Labs, whose joint vul­ner­a­bil­i­ty research with SAP has helped strength­en secu­ri­ty across the entire SAP cus­tomer base. 

When CVE-2025 – 31324 hit, his team was among the first to iden­ti­fy the sever­i­ty, share threat intel­li­gence with SAP, and help SAP push patch­es to cus­tomers. In many cas­es, this helped orga­ni­za­tions get ahead of a sec­ond wave of attacks that caught slow­er-mov­ing orga­ni­za­tions off guard. 

In an inter­view with ASUG, Perez-Etchegoyen dis­cussed how the SAP threat land­scape has evolved, what cus­tomers still get wrong about secur­ing cloud and hybrid envi­ron­ments, and why the orga­ni­za­tions that treat secu­ri­ty as a trans­for­ma­tion pri­or­i­ty — not an after­thought — tend to move faster.

This inter­view has been edit­ed and con­densed for length and clarity. 

Q. From where you sit, how has the cyber­se­cu­ri­ty threat land­scape for SAP envi­ron­ments shift­ed over the past few years, espe­cial­ly as more SAP cus­tomers move for­ward with cloud transformations?

It has def­i­nite­ly evolved or shift­ed in a num­ber of dif­fer­ent ways. One, from the per­spec­tive of the attack­ers or the threat actors. A cou­ple of years ago, we were mon­i­tor­ing attacks and exploita­tion of SAP vul­ner­a­bil­i­ties, and it was fair­ly sta­ble. Here and there, we were look­ing at spe­cif­ic, point­ed cam­paigns, some exploita­tion, some inci­dents, of course. There have always been inter­nal inci­dents where there’s an insid­er or some more com­plex sce­nar­ios, but the mass scale wasn’t real­ly there.

But over time, we start­ed see­ing more and more mass exploita­tion of SAP appli­ca­tions. Threat actors are upping their game with a good under­stand­ing of SAP tech­nol­o­gy, of how to exploit and com­pro­mise sys­tems, and of how to prof­it from it — by deploy­ing ran­somware, exfil­trat­ing data, or per­form­ing finan­cial fraud. More and more threat actors are tar­get­ing SAP direct­ly, where­as in the past, they tar­get­ed oth­er tech­nolo­gies that were more mas­sive­ly deployed. We know SAP is very per­va­sive in large enter­prise orga­ni­za­tions, but it’s not as mas­sive­ly deployed as oth­er tech­nolo­gies. So that’s on one side.

On the oth­er side is real­ly how SAP tech­nol­o­gy has been evolv­ing. Ten years ago, most SAP cus­tomers were run­ning on-premis­es behind the fire­wall with lit­tle con­nec­tion to the out­side world. That has changed with the rapid adop­tion of cloud, the push from SAP towards embrac­ing cloud appli­ca­tions, pub­lic cloud, and tran­si­tion­ing from solu­tions that were only avail­able on-premis­es to serv­ing those same solu­tions as pub­lic cloud SaaS applications.

All of that tran­si­tion led to orga­ni­za­tions run­ning com­plete­ly hybrid envi­ron­ments where they have some sys­tems on-premis­es, some sys­tems in pri­vate cloud, some sys­tems in pub­lic cloud, all of it inter­con­nect­ed through SAP Busi­ness Tech­nol­o­gy Plat­form (BTP). It’s a very fast pace of adop­tion, and that’s also increas­ing the attack sur­face. From those two per­spec­tives, it has been chang­ing a lot.

Q. What kinds of threats do you think SAP cus­tomers are most like­ly to under­es­ti­mate right now? And why do those risks tend to slip under the radar?

I think the biggest mis­con­cep­tion — and it’s slow­ly chang­ing — is that threat actors don’t know about SAP and don’t tar­get SAP. With CVE-2025 – 31324, we saw mas­sive exploita­tion of a zero-day with a pay­load that was spe­cial­ly craft­ed for SAP. That is show­ing that threat actors do know about SAP and do tar­get these applications.

Under­es­ti­mat­ing the fact that these appli­ca­tions are under attack is prob­a­bly the biggest prob­lem. If you don’t think that those appli­ca­tions are under attack, then you don’t deploy the right con­trols, the right mon­i­tor­ing. You don’t react fast enough until it’s too late, because these are heav­i­ly reg­u­lat­ed appli­ca­tions — our crown jew­els, in most cas­es — which orga­ni­za­tions are man­dat­ed to protect.

Q. How do you advise orga­ni­za­tions to think about SAP secu­ri­ty as part of a broad­er enter­prise risk man­age­ment frame­work, as opposed to treat­ing it like a more tra­di­tion­al IT secu­ri­ty domain?

The oppor­tu­ni­ty we have here is that orga­ni­za­tions have been, for the past cou­ple of years, con­stant­ly run­ning through migra­tion process­es. RISE with SAP, mov­ing to the cloud, and that’s still ongo­ing. That’s a per­fect oppor­tu­ni­ty to put secu­ri­ty front and cen­ter at the very begin­ning of these projects, dri­ving the require­ments and all the actions after­wards. We can plan and put a project togeth­er and real­ly inte­grate secu­ri­ty with our vul­ner­a­bil­i­ty man­age­ment ini­tia­tives, inci­dent response, con­tin­u­ous mon­i­tor­ing, and all of our DevSec­Ops initiatives.

All of those ele­ments still have to hap­pen to real­ly run secu­ri­ty effi­cient­ly across the orga­ni­za­tion, SAP includ­ed, but the unique oppor­tu­ni­ty we have today is that we are already ini­ti­at­ing and push­ing projects that will migrate SAP appli­ca­tions, regard­less of if it’s a lift and shift or a com­plete­ly new imple­men­ta­tion. Deploy­ing new tech­nol­o­gy, migrat­ing into new envi­ron­ments, and adding secu­ri­ty there as a require­ment at the very begin­ning makes a huge difference.

Q. As SAP cus­tomers migrate to S/4HANA, whether through RISE or hybrid archi­tec­tures, how is the shared respon­si­bil­i­ty mod­el around SAP secu­ri­ty changing?

That has been a top­ic of debate across many cus­tomers for the past two to three years. Start­ing about a year ago, I would say there is much more trans­paren­cy and under­stand­ing between SAP and its cus­tomers around this shared respon­si­bil­i­ty mod­el. But there have def­i­nite­ly been a lot of hic­cups along the way.

In the past, SAP cus­tomers believed SAP would do every­thing in regard to secu­ri­ty, so they didn’t need to wor­ry about it. The real­i­ty is that’s not the case. There is a shared respon­si­bil­i­ty mod­el. SAP will deal with a lot of those process­es and respon­si­bil­i­ties, but there is a huge part of the respon­si­bil­i­ties that are still on the customers.

Under­stand­ing that is impor­tant so you can actu­al­ly accom­mo­date your process­es and your con­trols, and you don’t have unmet expec­ta­tions, as we have seen in many cas­es where, after the deploy­ments hap­pened, Hey, but you told me that this was cov­ered,” and now we know that it’s not, and then this back and forth with your provider.

So now there’s much more clar­i­ty and much more trans­paren­cy. And it’s impor­tant: user autho­riza­tions, patch man­age­ment, con­fig­u­ra­tion man­age­ment, most secu­ri­ty-relat­ed aspects at the appli­ca­tion lay­er are still the respon­si­bil­i­ty of the cus­tomer. Every­thing below that — OS, parts of the data­base and the infra­struc­ture — is trans­par­ent to end users, man­aged and secured by SAP. But the appli­ca­tion lay­er is still some­thing we need to take care of. We are still account­able for ensur­ing that those are secure, and if some­thing hap­pens, it’s going to be our respon­si­bil­i­ty as cus­tomers to address that.

Q. Threat intel­li­gence gets dis­cussed in the abstract a lot, but from your expe­ri­ence, what does action­able threat intel­li­gence actu­al­ly look like in prac­tice when you’re talk­ing about SAP environments?

Threat intel­li­gence can be many things. It’s a con­cept that involves being able to cap­ture sig­nals that indi­cate how threat actors are behav­ing or evolv­ing, if there has been a com­pro­mise, if there are con­ver­sa­tions talk­ing about a spe­cif­ic vul­ner­a­bil­i­ty or a spe­cif­ic inci­dent, or if there are TTPs or IOCs — tools, tech­niques, pro­ce­dures, or indi­ca­tors of com­pro­mise — that should used to iden­ti­fy threat actors, and that we can use to detect them in our company.

In the con­text of SAP, threat intel­li­gence is real­ly all about being able to pri­or­i­tize. What are the vul­ner­a­bil­i­ties? What are the risks? What are the threats that are most time­ly today? Because we know that there is fric­tion when it comes to changes in SAP envi­ron­ments, for many rea­sons, espe­cial­ly in heav­i­ly reg­u­lat­ed industries. 

The real­i­ty is that being able to upgrade the ker­nel in a pro­duc­tion envi­ron­ment is a huge ordeal for orga­ni­za­tions. So if we have the right threat intel­li­gence allow­ing us to pri­or­i­tize: Hey, this is some­thing you need to look at imme­di­ate­ly because it’s an active threat that could pose an immi­nent threat to your orga­ni­za­tion” ver­sus Yes, this is impor­tant, but you can use your exist­ing process­es and take some time to apply this secu­ri­ty note or change this spe­cif­ic para­me­ter on the sys­tem,” that’s what allows you to make bet­ter deci­sions and use your resources more efficiently.

Q. Onap­sis Research Labs is wide­ly rec­og­nized in the SAP secu­ri­ty com­mu­ni­ty. What is its mis­sion, and why is inde­pen­dent SAP secu­ri­ty research espe­cial­ly crit­i­cal today?

We share a mis­sion of secur­ing SAP appli­ca­tions with SAP itself, at its core, ensur­ing that the ser­vices and prod­ucts they offer are secure and deliv­ered secure­ly to cus­tomers. By the joint work we do at the Onap­sis Research Labs, ana­lyz­ing SAP appli­ca­tions and report­ing secu­ri­ty vul­ner­a­bil­i­ties and poten­tial improve­ments from a secu­ri­ty per­spec­tive to SAP, and SAP releas­ing secu­ri­ty patch­es out of it, we effec­tive­ly help ele­vate the secu­ri­ty of SAP prod­ucts across the world, across the entire SAP cus­tomer base.

Now that we know that many threat actors are tar­get­ing SAP, being ahead of them, fix­ing those vul­ner­a­bil­i­ties togeth­er with SAP, and pre­vent­ing com­pro­mis­es are super impor­tant today, more than ever.

Q. Could you walk us through an exam­ple of how those insights have helped an orga­ni­za­tion get ahead of an emerg­ing threat?

I can give you a very recent exam­ple with CVE-2025 – 31324, which was last year. It was a zero-day cam­paign. Right after the first patch release by SAP, I think it was on a Thurs­day, we start­ed get­ting in touch with our cus­tomers. With­in a mat­ter of hours, we released sup­port on our plat­form to all of our cus­tomers and start­ed noti­fy­ing them. The cus­tomers who took that and were able to quick­ly react pre­vent­ed a whole sec­ond wave of attacks that hap­pened over the weekend.

We made it very clear to all orga­ni­za­tions: Hey, this is crit­i­cal, this is time­ly, we need to react because it’s an active threat being trig­gered by threat actors.” Because of that, we pre­vent­ed many addi­tion­al com­pro­mis­es that hap­pened after­wards. And we heard of orga­ni­za­tions that weren’t as quick to react, and they got hit after this sec­ond wave.

So that’s why time is impor­tant, quick reac­tion is impor­tant, but this is all dri­ven by the right threat intel­li­gence. The Onap­sis Research Labs were unique­ly posi­tioned on this CVE because we were able to see what threat actors were exploit­ing and actu­al­ly help SAP. We shared with SAP our threat intel­li­gence, so they came up with anoth­er patch fix­ing the root cause of the vul­ner­a­bil­i­ty. From the get-go, we start­ed warn­ing every­one about the crit­i­cal­i­ty, which was effec­tive­ly con­firmed right after that.

Q. Where does Onap­sis fit with­in SAP cus­tomers’ broad­er cloud and cyber­se­cu­ri­ty strate­gies, both for orga­ni­za­tions still run­ning ECC and those oper­at­ing in an S/4HANA landscape?

We’ve been in the mar­ket for over 15 years. We start­ed sup­port­ing the old­er ver­sions like ECC, even old­er NetWeaver ver­sions, all the way to the newest S/4HANA, BW/4HANA, all of the lat­est fla­vors of SAP ABAP-based solu­tions, and oth­er solu­tions as well. As SAP tech­nol­o­gy evolved, we have been evolv­ing, so cus­tomers can use our tech­nol­o­gy to pro­tect their entire land­scape, if they have on-premis­es, poten­tial­ly old­er sys­tems, and if they have new­er S/4HANA or any new­er prod­uct deployed in the cloud.

Q. As attack­ers become more sophis­ti­cat­ed, what role do you see AI play­ing in SAP secu­ri­ty over the next 12 to 24 months — both as a threat and as a tool for defenders?

I think the key lens we need to apply here is AI — it’s a dis­rup­tive tech­nol­o­gy across the board. Threat actors are also lever­ag­ing it to have more effi­cien­cy in tar­get­ing SAP cus­tomers and orga­ni­za­tions in general. 

Because of that, defend­ers have to be empow­ered with the right lev­el of vis­i­bil­i­ty around vul­ner­a­bil­i­ties in SAP, threats on SAP, con­tin­u­ous­ly mon­i­tor­ing SAP, and fix­ing any issues across the mul­ti­ple domains that SAP secu­ri­ty involves, whether it be con­fig­u­ra­tions, autho­riza­tions, inte­gra­tions, or cus­tom code. Because of how fast threat actors are going, orga­ni­za­tions need to deploy the right con­trols across the board on their SAP landscape.

We are also work­ing with AI at Onap­sis, imple­ment­ing secu­ri­ty use cas­es around AI, basi­cal­ly aug­ment­ing the capac­i­ty that some­one will have when ana­lyz­ing active threats or active mon­i­tor­ing capa­bil­i­ties on SAP sys­tems, with AI capa­bil­i­ties that allow you to deal with more infor­ma­tion in a small­er time win­dow. Being able to pri­or­i­tize and fil­ter the noise and real­ly take care of what could be real­ly important.

Q. If there’s one strate­gic step that SAP cus­tomers should pri­or­i­tize this year to strength­en their cyber­se­cu­ri­ty pos­ture, what would it be and why?

Assum­ing that SAP cus­tomers are not address­ing secu­ri­ty across the board in their entire land­scape, I would say it starts with vis­i­bil­i­ty. Under­stand­ing what the risks are and hav­ing the right vis­i­bil­i­ty into poten­tial vul­ner­a­bil­i­ties on the sys­tem, and also poten­tial inci­dents that could be affect­ing the system. 

We know that some threat actors are per­va­sive; they stay under the radar for long peri­ods of time, abus­ing the fact that SAP sys­tems process finan­cial trans­ac­tions, and they can prof­it from it. So I think it’s about being pur­pose­ful around secu­ri­ty and ded­i­cat­ing resources to it.

You Might Be Interested In


Insights Included in Membership
View All Insights
Bookmark
Bookmark
Bookmark
Bookmark