SAP Company Cyber Security Posture

sap.com

SAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the worldโ€™s most complex and demanding processes. SAPโ€™s integrated portfolio unites the elements of modern organizations โ€” from workforce and financials to customers and supply chains โ€” into a unified ecosystem that drives progress. SAP privacy statement for followers: www.sap.com/sps

SAP Company Details

Linkedin ID:

sap

Employees number:

128087 employees

Number of followers:

4025957.0

NAICS:

511

Industry Type:

Software Development

Homepage:

sap.com

IP Addresses:

27

Company ID:

SAP_1049751

Scan Status:

In-progress

AI scoreSAP Risk Score (AI oriented)

Between 900 and 1000

This score is AI-generated and less favored by cyber insurers, who prefer the TPRM score.

Ailogo

SAP Company Scoring based on AI Models

Model NameDateDescriptionCurrent Score DifferenceScore
AVERAGE-Industry03-12-2025

This score represents the average cybersecurity rating of companies already scanned within the same industry. It provides a benchmark to compare an individual company's security posture against its industry peers.

N/A

Between 900 and 1000

SAP Company Cyber Security News & History

Past Incidents
6
Attack Types
3
EntityTypeSeverityImpactSeenUrl IDDetailsView
SAPBreach5023/2025SAP1007030425Link
Rankiteo Explanation :
Attack limited on finance or reputation

Description: Former CTO Jรผrgen Mรผller left SAP due to an 'incident' of inappropriate behavior at a company event, leading to an investigation into allegations of sexual harassment. Mรผller's departure was mutually agreed upon, and he received a compensation payout of โ‚ฌ7.1 million ($7.5 million). The incident resulted in financial loss due to severance payments and could potentially damage SAP's reputation due to the nature of the misconduct and the public scrutiny of executive compensations.

SAPRansomware10055/2025SAP723051525Link
Rankiteo Explanation :
Attack threatening the organization's existence

Description: In late April, SAP fixed a severe bug in NetWeaver Visual Composer Metadata Uploader, affecting over 1,200 instances. Multiple ransomware operators, including BianLian and RansomEXX, exploited this flaw. The bug allowed unauthenticated actors to upload malicious executables. SAP also patched a separate critical zero-day vulnerability in NetWeaver server, tracked as CVE-2025-42999, with a severity score of 9.1/10. Both vulnerabilities were abused in attacks since January 2025.

SAPVulnerability10053/2025SAP443032025Link
Rankiteo Explanation :
Attack threatening the organizationโ€™s existence

Description: SAP's NetWeaver Application Server Java was found vulnerable to a critical directory traversal flaw identified as CVE-2017-12637. This vulnerability allows remote attackers to read arbitrary files, potentially leading to a compromise of sensitive information and system integrity. The flaw, given a CVSS score of 7.5, indicates a high severity risk. Being actively exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to mitigate this risk urgently by April 9, 2025. Failure to patch or apply CISA's advisories could lead to serious data breaches, affecting customer and organizational data and disrupting significant operational capacities.

SAPVulnerability10054/2025SAP758042625Link
Rankiteo Explanation :
Attack threatening the organizationโ€™s existence

Description: German software giant SAP's widely-used SAP NetWeaver was exploited due to a critical vulnerability in its Visual Composer development server. The vulnerability enabled an unauthenticated attacker to upload potentially harmful executable binaries. This compromise could significantly affect the confidentiality, integrity, and availability of the targeted system. The vulnerability was detected in April 2025 and assigned the highest severity score by SAP, 10.0 (CVSS v3.1). Although SAP quickly released an emergency fix, affected systems running the latest SAP service pack were already exploited, signifying a zero-day attack.

SAPVulnerability5016/2025SAP909061025Link
Rankiteo Explanation :
Attack without any consequences

Description: A critical security vulnerability has been discovered in SAP NetWeaver Application Server for ABAP that allows authenticated attackers to bypass standard authorization checks and escalate their privileges within enterprise systems. The vulnerability, tracked as CVE-2025-42989 and assigned a CVSS score of 9.6, was addressed in SAPโ€™s June 2025 Security Patch Day. The flaw allows low-privileged authenticated users to execute function modules without proper authorization verification, resulting in significant privilege escalation that can critically impact both system integrity and availability.

SAPVulnerability8546/2025SAP527062525Link
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches. Researchers have discovered vulnerabilities in the product's user input history feature affecting both Windows and Java versions. These vulnerabilities could expose sensitive information such as usernames, national IDs, and bank account numbers, stored either unencrypted or protected with a weak, reusable XOR key.

SAP Company Subsidiaries

SubsidiaryImage

SAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the worldโ€™s most complex and demanding processes. SAPโ€™s integrated portfolio unites the elements of modern organizations โ€” from workforce and financials to customers and supply chains โ€” into a unified ecosystem that drives progress. SAP privacy statement for followers: www.sap.com/sps

Loading...

Access Data Using Our API

SubsidiaryImage

Get company history

curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=sap' -H 'apikey: YOUR_API_KEY_HERE'
newsone

SAP Cyber Security News

2025-06-05T07:00:00.000Z
Pathlock Launches Value-Driven SAP Cybersecurity Solutions to Combat Growing SAP Cyber Threats

Pathlock reinforces its commitment to SAP customers with a customer-driven shift โ€“ launching a transparent, high-value SAP cybersecurityย ...

2025-04-29T07:00:00.000Z
Critical vulnerability in SAP NetWeaver Visual Composer leads to confirmed compromises

A critical vulnerability in SAP NetWeaver Visual Composer has led to confirmed compromises of multiple organizations, and researchers warn thatย ...

2025-04-09T07:00:00.000Z
CYFIRMA and SecurityBridge Partner to Strengthen SAP Cybersecurity with External Threat Intelligence

SAP systems are at the core of many businesses, managing critical operations like finance, logistics, and HR. Yet, securing these systemsย ...

2025-03-13T07:00:00.000Z
Onapsis Premieres New Book โ€œCybersecurity for SAPโ€ at SAPinsider North America

Onapsis, the global leader in SAP cybersecurity and compliance, announces the launch of its highly anticipated book, โ€œCybersecurity for SAPย ...

2025-06-25T13:37:00.000Z
Citrix Bleed 2 Flaw Enables Token Theft; SAP GUI Flaws Risk Sensitive Data Exposure

Two critical flaws in SAP GUI expose sensitive data. Patches now available for Windows and Java versions.

2025-06-27T14:38:00.000Z
SAP NS2โ€™s Ted Wagner Discusses CMMC Program Role in Securing Sensitive Information

The Cybersecurity Program Has Three Levels of Certification: Level 1 focuses on basic cyber hygiene and protecting federal contract informationย ...

2025-04-01T07:00:00.000Z
SecurityBridge Brings โ€˜Secure Togetherโ€™ Cybersecurity Event to US for First Time

The US stop of the โ€œSecure Together on the Roadโ€ tour will be held April 10, 2025, at the NASA Space Center in Houston.

2025-05-29T07:00:00.000Z
'Everest Group' Extorts Global Orgs via SAP's HR Tool

Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa,ย ...

2025-06-20T00:47:28.000Z
SecurityBridge, Microsoft Unite to Deliver Unified SAP Security Monitoring in Sentinel

SecurityBridge, the Cybersecurity Command Center for SAP, is pleased to announce its collaboration with Microsoft to integrate SAP data into Microsoftย ...

similarCompanies

SAP Similar Companies

DiDi Global Inc. is a leading mobility technology platform. It offers a wide range of app-based services across Asia Pacific, Latin America, and other global markets, including ride hailing, taxi hailing, designated driving, hitch and other forms of shared mobility as well as certain energy and vehi

PayPal

We're championing possibilities for all by making money fast, easy, and more enjoyable. Our hope is to unlock opportunities for people in their everyday lives and empower the millions of people and businesses around the world who trust, rely upon, and use PayPal every day. For support, visit the P

Shopee

Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th

Groupon is an experiences marketplace that brings people more ways to get the most out of their city or wherever they may be. By enabling real-time mobile commerce across local businesses, live events and travel destinations, Groupon helps people find and discover experiencesโ€“โ€“big and small, new and

Broadcom Software

Broadcom Software modernizes, optimizes, and protects the worldโ€™s most complex hybrid environments. We are a global software leader delivering a comprehensive portfolio of industry-leading business-critical software enabling scalability, agility and security for the largest global companies in the w

Facebook

The Facebook company is now Meta. Meta builds technologies that help people connect, find communities, and grow businesses. When Facebook launched in 2004, it changed the way people connect. Apps like Messenger, Instagram and WhatsApp further empowered billions around the world. Now, Meta is moving

faq

Frequently Asked Questions

Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.

SAP CyberSecurity History Information

How many cyber incidents has SAP faced?

Total Incidents: According to Rankiteo, SAP has faced 6 incidents in the past.

What types of cybersecurity incidents have occurred at SAP?

Incident Types: The types of cybersecurity incidents that have occurred incidents Vulnerability, Ransomware and Breach.

What was the total financial impact of these incidents on SAP?

Total Financial Loss: The total financial loss from these incidents is estimated to be $7.10 million.

How does SAP detect and respond to cybersecurity incidents?

Detection and Response: The company detects and responds to cybersecurity incidents through remediation measures with Implement SAP Security Note #3600840 and configure necessary role adjustments and profile parameters. and remediation measures with Emergency fix released by SAP and remediation measures with Patching, Applying CISA's advisories and remediation measures with Mutual agreement on departure and compensation payout.

Incident Details

Can you provide details on each incident?

Incident : Data Breach

Title: SAP GUI Vulnerabilities Expose Sensitive User Data

Description: SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches. According to Pathlock researcher Jonathan Stross and Fortinetโ€™s Julian Petersohn, a couple of information disclosure vulnerabilities affect the productโ€™s user input history feature in its Windows (CVE-2025-0055) and Java (CVE-2025-0056) versions. The newly disclosed vulnerabilities affect how user-entered data like usernames, national IDs, and bank account numbers are stored locally, either unencrypted or protected with a weak, reusable XOR key.

Type: Data Breach

Attack Vector: Vulnerability Exploitation

Vulnerability Exploited: CVE-2025-0055, CVE-2025-0056

Incident : Vulnerability Exploitation

Title: Critical Privilege Escalation Vulnerability in SAP NetWeaver Application Server for ABAP

Description: A critical security vulnerability (CVE-2025-42989) in SAP NetWeaver Application Server for ABAP allows authenticated attackers to bypass standard authorization checks and escalate privileges within enterprise systems. The flaw resides within the RFC framework, affecting tRFC and qRFC operations, and was addressed in SAPโ€™s June 2025 Security Patch Day.

Date Publicly Disclosed: 2025-06-01

Type: Vulnerability Exploitation

Attack Vector: Privilege Escalation

Vulnerability Exploited: CVE-2025-42989

Incident : vulnerability

Title: SAP NetWeaver Visual Composer Metadata Uploader Vulnerability

Description: In late April, SAP fixed a severe bug in NetWeaver Visual Composer Metadata Uploader, affecting over 1,200 instances. Multiple ransomware operators, including BianLian and RansomEXX, exploited this flaw. The bug allowed unauthenticated actors to upload malicious executables. SAP also patched a separate critical zero-day vulnerability in NetWeaver server, tracked as CVE-2025-42999, with a severity score of 9.1/10. Both vulnerabilities were abused in attacks since January 2025.

Date Detected: 2025-01-01

Date Resolved: 2025-04-01

Type: vulnerability

Attack Vector: unauthenticated upload, zero-day exploit

Vulnerability Exploited: CVE-2025-42999

Threat Actor: BianLian, RansomEXX

Motivation: financial gain

Incident : Zero-day attack

Title: SAP NetWeaver Visual Composer Vulnerability Exploitation

Description: A critical vulnerability in SAP NetWeaver's Visual Composer development server allowed an unauthenticated attacker to upload potentially harmful executable binaries, affecting the confidentiality, integrity, and availability of the targeted system.

Date Detected: April 2025

Type: Zero-day attack

Attack Vector: Unauthenticated upload of executable binaries

Vulnerability Exploited: Critical vulnerability in SAP NetWeaver Visual Composer development server

Incident : Vulnerability Exploitation

Title: SAP NetWeaver Application Server Java Directory Traversal Vulnerability

Description: SAP's NetWeaver Application Server Java was found vulnerable to a critical directory traversal flaw identified as CVE-2017-12637. This vulnerability allows remote attackers to read arbitrary files, potentially leading to a compromise of sensitive information and system integrity. The flaw, given a CVSS score of 7.5, indicates a high severity risk. Being actively exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to mitigate this risk urgently by April 9, 2025. Failure to patch or apply CISA's advisories could lead to serious data breaches, affecting customer and organizational data and disrupting significant operational capacities.

Type: Vulnerability Exploitation

Attack Vector: Directory Traversal

Vulnerability Exploited: CVE-2017-12637

Incident : Misconduct

Title: Inappropriate Behavior Incident Leading to CTO Departure

Description: Former CTO Jรผrgen Mรผller left SAP due to an 'incident' of inappropriate behavior at a company event, leading to an investigation into allegations of sexual harassment. Mรผller's departure was mutually agreed upon, and he received a compensation payout of โ‚ฌ7.1 million ($7.5 million). The incident resulted in financial loss due to severance payments and could potentially damage SAP's reputation due to the nature of the misconduct and the public scrutiny of executive compensations.

Type: Misconduct

Threat Actor: Former CTO Jรผrgen Mรผller

Motivation: Inappropriate behavior

What are the most common types of attacks the company has faced?

Common Attack Types: The most common types of attacks the company has faced is Vulnerability.

Impact of the Incidents

What was the impact of each incident?

Incident : Data Breach SAP527062525

Data Compromised: usernames, national IDs, bank account numbers

Systems Affected: SAP GUI Windows version, SAP GUI Java version

Incident : vulnerability SAP723051525

Systems Affected: over 1,200 instances

Incident : Zero-day attack SAP758042625

Systems Affected: Systems running the latest SAP service pack

Incident : Vulnerability Exploitation SAP443032025

Data Compromised: Customer data, Organizational data

Systems Affected: SAP NetWeaver Application Server Java

Operational Impact: Significant operational capacities disrupted

Incident : Misconduct SAP1007030425

Financial Loss: โ‚ฌ7.1 million ($7.5 million)

Brand Reputation Impact: Potential damage due to the nature of the misconduct and public scrutiny of executive compensations

What is the average financial loss per incident?

Average Financial Loss: The average financial loss per incident is $1.18 million.

What types of data are most commonly compromised in incidents?

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are usernames, national IDs, bank account numbers, Customer data and Organizational data.

Which entities were affected by each incident?

Incident : Data Breach SAP527062525

Entity Type: Enterprise Software

Industry: Technology

Location: Global

Size: Large

Incident : Vulnerability Exploitation SAP909061025

Entity Type: Software Provider

Industry: Technology

Incident : vulnerability SAP723051525

Entity Type: company

Industry: software

Incident : Zero-day attack SAP758042625

Entity Type: Software Company

Industry: Information Technology

Location: Germany

Incident : Vulnerability Exploitation SAP443032025

Entity Type: Organization

Industry: Software

Incident : Misconduct SAP1007030425

Entity Type: Corporation

Industry: Software

Response to the Incidents

What measures were taken in response to each incident?

Incident : Vulnerability Exploitation SAP909061025

Remediation Measures: Implement SAP Security Note #3600840 and configure necessary role adjustments and profile parameters.

Incident : Zero-day attack SAP758042625

Remediation Measures: Emergency fix released by SAP

Incident : Vulnerability Exploitation SAP443032025

Remediation Measures: Patching, Applying CISA's advisories

Incident : Misconduct SAP1007030425

Remediation Measures: Mutual agreement on departure and compensation payout

Data Breach Information

What type of data was compromised in each breach?

Incident : Data Breach SAP527062525

Type of Data Compromised: usernames, national IDs, bank account numbers

Sensitivity of Data: High

Data Encryption: Weak or None

Personally Identifiable Information: True

Incident : Vulnerability Exploitation SAP443032025

Type of Data Compromised: Customer data, Organizational data

What measures does the company take to prevent data exfiltration?

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Implement SAP Security Note #3600840 and configure necessary role adjustments and profile parameters., Emergency fix released by SAP, Patching, Applying CISA's advisories, Mutual agreement on departure and compensation payout.

Ransomware Information

Was ransomware involved in any of the incidents?

Incident : vulnerability SAP723051525

Ransomware Strain: ['BianLian', 'RansomEXX']

Lessons Learned and Recommendations

What lessons were learned from each incident?

Incident : Vulnerability Exploitation SAP909061025

Lessons Learned: Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.

What recommendations were made to prevent future incidents?

Incident : Vulnerability Exploitation SAP909061025

Recommendations: Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations.

Incident : Vulnerability Exploitation SAP443032025

Recommendations: Patch the vulnerability, Apply CISA's advisories

What are the key lessons learned from past incidents?

Key Lessons Learned: The key lessons learned from past incidents are Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.

What recommendations has the company implemented to improve cybersecurity?

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations.Patch the vulnerability, Apply CISA's advisories.

References

Where can I find more information about each incident?

Incident : Data Breach SAP527062525

Source: Pathlock researcher Jonathan Stross and Fortinetโ€™s Julian Petersohn

Incident : Vulnerability Exploitation SAP909061025

Source: Onapsis Report

Incident : Vulnerability Exploitation SAP443032025

Source: CISA Advisory

Where can stakeholders find additional resources on cybersecurity best practices?

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Pathlock researcher Jonathan Stross and Fortinetโ€™s Julian Petersohn, and Source: Onapsis Report, and Source: CISA Advisory.

Investigation Status

What is the current status of the investigation for each incident?

Incident : Misconduct SAP1007030425

Investigation Status: Ongoing investigation into allegations of sexual harassment

Post-Incident Analysis

What were the root causes and corrective actions taken for each incident?

Incident : Data Breach SAP527062525

Root Causes: Outdated encryption and weak XOR key

Incident : Vulnerability Exploitation SAP909061025

Root Causes: Missing authorization check in RFC inbound processing.

Corrective Actions: Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments.

What corrective actions has the company taken based on post-incident analysis?

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments..

Additional Questions

General Information

Who was the attacking group in the last incident?

Last Attacking Group: The attacking group in the last incident were an BianLian, RansomEXX and Former CTO Jรผrgen Mรผller.

Incident Details

What was the most recent incident detected?

Most Recent Incident Detected: The most recent incident detected was on 2025-01-01.

What was the most recent incident publicly disclosed?

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-06-01.

What was the most recent incident resolved?

Most Recent Incident Resolved: The most recent incident resolved was on 2025-04-01.

Impact of the Incidents

What was the highest financial loss from an incident?

Highest Financial Loss: The highest financial loss from an incident was โ‚ฌ7.1 million ($7.5 million).

What was the most significant data compromised in an incident?

Most Significant Data Compromised: The most significant data compromised in an incident were usernames, national IDs, bank account numbers, Customer data and Organizational data.

What was the most significant system affected in an incident?

Most Significant System Affected: The most significant system affected in an incident were SAP GUI Windows version, SAP GUI Java version and over 1,200 instances and Systems running the latest SAP service pack and SAP NetWeaver Application Server Java.

Data Breach Information

What was the most sensitive data compromised in a breach?

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were usernames, national IDs, bank account numbers, Customer data and Organizational data.

Lessons Learned and Recommendations

What was the most significant lesson learned from past incidents?

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.

What was the most significant recommendation implemented to improve cybersecurity?

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations., Patch the vulnerability, Apply CISA's advisories.

References

What is the most recent source of information about an incident?

Most Recent Source: The most recent source of information about an incident are Pathlock researcher Jonathan Stross and Fortinetโ€™s Julian Petersohn, Onapsis Report and CISA Advisory.

Investigation Status

What is the current status of the most recent investigation?

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing investigation into allegations of sexual harassment.

Post-Incident Analysis

What was the most significant root cause identified in post-incident analysis?

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Outdated encryption and weak XOR key, Missing authorization check in RFC inbound processing..

What was the most significant corrective action taken based on post-incident analysis?

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments..

What Do We Measure?

revertimgrevertimgrevertimgrevertimg
Incident
revertimgrevertimgrevertimgrevertimg
Finding
revertimgrevertimgrevertimgrevertimg
Grade
revertimgrevertimgrevertimgrevertimg
Digital Assets

Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.

These are some of the factors we use to calculate the overall score:

Network Security

Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.

SBOM (Software Bill of Materials)

Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.

CMDB (Configuration Management Database)

Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.

Threat Intelligence

Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.

Top LeftTop RightBottom LeftBottom Right
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
Users Love Us Badge