SAP Company Cyber Security Posture
sap.comSAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the worldโs most complex and demanding processes. SAPโs integrated portfolio unites the elements of modern organizations โ from workforce and financials to customers and supply chains โ into a unified ecosystem that drives progress. SAP privacy statement for followers: www.sap.com/sps
SAP Company Details
sap
128087 employees
4025957.0
511
Software Development
sap.com
27
SAP_1049751
In-progress
SAP Risk Score (AI oriented)Between 900 and 1000
This score is AI-generated and less favored by cyber insurers, who prefer the TPRM score.
SAP Global Score.png)
SAP Company Scoring based on AI Models
| Model Name | Date | Description | Current Score Difference | Score |
|---|---|---|---|---|
| AVERAGE-Industry | 03-12-2025 | This score represents the average cybersecurity rating of companies already scanned within the same industry. It provides a benchmark to compare an individual company's security posture against its industry peers. | N/A | Between 900 and 1000 |
SAP Company Cyber Security News & History
| Entity | Type | Severity | Impact | Seen | Url ID | Details | View |
|---|---|---|---|---|---|---|---|
| SAP | Breach | 50 | 2 | 3/2025 | SAP1007030425 | Link | |
Rankiteo Explanation : Attack limited on finance or reputationDescription: Former CTO Jรผrgen Mรผller left SAP due to an 'incident' of inappropriate behavior at a company event, leading to an investigation into allegations of sexual harassment. Mรผller's departure was mutually agreed upon, and he received a compensation payout of โฌ7.1 million ($7.5 million). The incident resulted in financial loss due to severance payments and could potentially damage SAP's reputation due to the nature of the misconduct and the public scrutiny of executive compensations. | |||||||
| SAP | Ransomware | 100 | 5 | 5/2025 | SAP723051525 | Link | |
Rankiteo Explanation : Attack threatening the organization's existenceDescription: In late April, SAP fixed a severe bug in NetWeaver Visual Composer Metadata Uploader, affecting over 1,200 instances. Multiple ransomware operators, including BianLian and RansomEXX, exploited this flaw. The bug allowed unauthenticated actors to upload malicious executables. SAP also patched a separate critical zero-day vulnerability in NetWeaver server, tracked as CVE-2025-42999, with a severity score of 9.1/10. Both vulnerabilities were abused in attacks since January 2025. | |||||||
| SAP | Vulnerability | 100 | 5 | 3/2025 | SAP443032025 | Link | |
Rankiteo Explanation : Attack threatening the organizationโs existenceDescription: SAP's NetWeaver Application Server Java was found vulnerable to a critical directory traversal flaw identified as CVE-2017-12637. This vulnerability allows remote attackers to read arbitrary files, potentially leading to a compromise of sensitive information and system integrity. The flaw, given a CVSS score of 7.5, indicates a high severity risk. Being actively exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to mitigate this risk urgently by April 9, 2025. Failure to patch or apply CISA's advisories could lead to serious data breaches, affecting customer and organizational data and disrupting significant operational capacities. | |||||||
| SAP | Vulnerability | 100 | 5 | 4/2025 | SAP758042625 | Link | |
Rankiteo Explanation : Attack threatening the organizationโs existenceDescription: German software giant SAP's widely-used SAP NetWeaver was exploited due to a critical vulnerability in its Visual Composer development server. The vulnerability enabled an unauthenticated attacker to upload potentially harmful executable binaries. This compromise could significantly affect the confidentiality, integrity, and availability of the targeted system. The vulnerability was detected in April 2025 and assigned the highest severity score by SAP, 10.0 (CVSS v3.1). Although SAP quickly released an emergency fix, affected systems running the latest SAP service pack were already exploited, signifying a zero-day attack. | |||||||
| SAP | Vulnerability | 50 | 1 | 6/2025 | SAP909061025 | Link | |
Rankiteo Explanation : Attack without any consequencesDescription: A critical security vulnerability has been discovered in SAP NetWeaver Application Server for ABAP that allows authenticated attackers to bypass standard authorization checks and escalate their privileges within enterprise systems. The vulnerability, tracked as CVE-2025-42989 and assigned a CVSS score of 9.6, was addressed in SAPโs June 2025 Security Patch Day. The flaw allows low-privileged authenticated users to execute function modules without proper authorization verification, resulting in significant privilege escalation that can critically impact both system integrity and availability. | |||||||
| SAP | Vulnerability | 85 | 4 | 6/2025 | SAP527062525 | Link | |
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches. Researchers have discovered vulnerabilities in the product's user input history feature affecting both Windows and Java versions. These vulnerabilities could expose sensitive information such as usernames, national IDs, and bank account numbers, stored either unencrypted or protected with a weak, reusable XOR key. | |||||||
SAP Company Subsidiaries
SAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the worldโs most complex and demanding processes. SAPโs integrated portfolio unites the elements of modern organizations โ from workforce and financials to customers and supply chains โ into a unified ecosystem that drives progress. SAP privacy statement for followers: www.sap.com/sps
Access Data Using Our API
Get company history
Rapid.png)
SAP Cyber Security News
Pathlock Launches Value-Driven SAP Cybersecurity Solutions to Combat Growing SAP Cyber Threats
Pathlock reinforces its commitment to SAP customers with a customer-driven shift โ launching a transparent, high-value SAP cybersecurityย ...
Critical vulnerability in SAP NetWeaver Visual Composer leads to confirmed compromises
A critical vulnerability in SAP NetWeaver Visual Composer has led to confirmed compromises of multiple organizations, and researchers warn thatย ...
CYFIRMA and SecurityBridge Partner to Strengthen SAP Cybersecurity with External Threat Intelligence
SAP systems are at the core of many businesses, managing critical operations like finance, logistics, and HR. Yet, securing these systemsย ...
Onapsis Premieres New Book โCybersecurity for SAPโ at SAPinsider North America
Onapsis, the global leader in SAP cybersecurity and compliance, announces the launch of its highly anticipated book, โCybersecurity for SAPย ...
Citrix Bleed 2 Flaw Enables Token Theft; SAP GUI Flaws Risk Sensitive Data Exposure
Two critical flaws in SAP GUI expose sensitive data. Patches now available for Windows and Java versions.
SAP NS2โs Ted Wagner Discusses CMMC Program Role in Securing Sensitive Information
The Cybersecurity Program Has Three Levels of Certification: Level 1 focuses on basic cyber hygiene and protecting federal contract informationย ...
SecurityBridge Brings โSecure Togetherโ Cybersecurity Event to US for First Time
The US stop of the โSecure Together on the Roadโ tour will be held April 10, 2025, at the NASA Space Center in Houston.
'Everest Group' Extorts Global Orgs via SAP's HR Tool
Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa,ย ...
SecurityBridge, Microsoft Unite to Deliver Unified SAP Security Monitoring in Sentinel
SecurityBridge, the Cybersecurity Command Center for SAP, is pleased to announce its collaboration with Microsoft to integrate SAP data into Microsoftย ...
SAP Similar Companies
DiDi
DiDi Global Inc. is a leading mobility technology platform. It offers a wide range of app-based services across Asia Pacific, Latin America, and other global markets, including ride hailing, taxi hailing, designated driving, hitch and other forms of shared mobility as well as certain energy and vehi
PayPal
We're championing possibilities for all by making money fast, easy, and more enjoyable. Our hope is to unlock opportunities for people in their everyday lives and empower the millions of people and businesses around the world who trust, rely upon, and use PayPal every day. For support, visit the P
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
Groupon
Groupon is an experiences marketplace that brings people more ways to get the most out of their city or wherever they may be. By enabling real-time mobile commerce across local businesses, live events and travel destinations, Groupon helps people find and discover experiencesโโbig and small, new and
Broadcom Software
Broadcom Software modernizes, optimizes, and protects the worldโs most complex hybrid environments. We are a global software leader delivering a comprehensive portfolio of industry-leading business-critical software enabling scalability, agility and security for the largest global companies in the w
The Facebook company is now Meta. Meta builds technologies that help people connect, find communities, and grow businesses. When Facebook launched in 2004, it changed the way people connect. Apps like Messenger, Instagram and WhatsApp further empowered billions around the world. Now, Meta is moving
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
SAP CyberSecurity History Information
How many cyber incidents has SAP faced?
Total Incidents: According to Rankiteo, SAP has faced 6 incidents in the past.
What types of cybersecurity incidents have occurred at SAP?
Incident Types: The types of cybersecurity incidents that have occurred incidents Vulnerability, Ransomware and Breach.
What was the total financial impact of these incidents on SAP?
Total Financial Loss: The total financial loss from these incidents is estimated to be $7.10 million.
How does SAP detect and respond to cybersecurity incidents?
Detection and Response: The company detects and responds to cybersecurity incidents through remediation measures with Implement SAP Security Note #3600840 and configure necessary role adjustments and profile parameters. and remediation measures with Emergency fix released by SAP and remediation measures with Patching, Applying CISA's advisories and remediation measures with Mutual agreement on departure and compensation payout.
Incident Details
Can you provide details on each incident?
Incident : Data Breach
Title: SAP GUI Vulnerabilities Expose Sensitive User Data
Description: SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches. According to Pathlock researcher Jonathan Stross and Fortinetโs Julian Petersohn, a couple of information disclosure vulnerabilities affect the productโs user input history feature in its Windows (CVE-2025-0055) and Java (CVE-2025-0056) versions. The newly disclosed vulnerabilities affect how user-entered data like usernames, national IDs, and bank account numbers are stored locally, either unencrypted or protected with a weak, reusable XOR key.
Type: Data Breach
Attack Vector: Vulnerability Exploitation
Vulnerability Exploited: CVE-2025-0055, CVE-2025-0056
Incident : Vulnerability Exploitation
Title: Critical Privilege Escalation Vulnerability in SAP NetWeaver Application Server for ABAP
Description: A critical security vulnerability (CVE-2025-42989) in SAP NetWeaver Application Server for ABAP allows authenticated attackers to bypass standard authorization checks and escalate privileges within enterprise systems. The flaw resides within the RFC framework, affecting tRFC and qRFC operations, and was addressed in SAPโs June 2025 Security Patch Day.
Date Publicly Disclosed: 2025-06-01
Type: Vulnerability Exploitation
Attack Vector: Privilege Escalation
Vulnerability Exploited: CVE-2025-42989
Incident : vulnerability
Title: SAP NetWeaver Visual Composer Metadata Uploader Vulnerability
Description: In late April, SAP fixed a severe bug in NetWeaver Visual Composer Metadata Uploader, affecting over 1,200 instances. Multiple ransomware operators, including BianLian and RansomEXX, exploited this flaw. The bug allowed unauthenticated actors to upload malicious executables. SAP also patched a separate critical zero-day vulnerability in NetWeaver server, tracked as CVE-2025-42999, with a severity score of 9.1/10. Both vulnerabilities were abused in attacks since January 2025.
Date Detected: 2025-01-01
Date Resolved: 2025-04-01
Type: vulnerability
Attack Vector: unauthenticated upload, zero-day exploit
Vulnerability Exploited: CVE-2025-42999
Threat Actor: BianLian, RansomEXX
Motivation: financial gain
Incident : Zero-day attack
Title: SAP NetWeaver Visual Composer Vulnerability Exploitation
Description: A critical vulnerability in SAP NetWeaver's Visual Composer development server allowed an unauthenticated attacker to upload potentially harmful executable binaries, affecting the confidentiality, integrity, and availability of the targeted system.
Date Detected: April 2025
Type: Zero-day attack
Attack Vector: Unauthenticated upload of executable binaries
Vulnerability Exploited: Critical vulnerability in SAP NetWeaver Visual Composer development server
Incident : Vulnerability Exploitation
Title: SAP NetWeaver Application Server Java Directory Traversal Vulnerability
Description: SAP's NetWeaver Application Server Java was found vulnerable to a critical directory traversal flaw identified as CVE-2017-12637. This vulnerability allows remote attackers to read arbitrary files, potentially leading to a compromise of sensitive information and system integrity. The flaw, given a CVSS score of 7.5, indicates a high severity risk. Being actively exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to mitigate this risk urgently by April 9, 2025. Failure to patch or apply CISA's advisories could lead to serious data breaches, affecting customer and organizational data and disrupting significant operational capacities.
Type: Vulnerability Exploitation
Attack Vector: Directory Traversal
Vulnerability Exploited: CVE-2017-12637
Incident : Misconduct
Title: Inappropriate Behavior Incident Leading to CTO Departure
Description: Former CTO Jรผrgen Mรผller left SAP due to an 'incident' of inappropriate behavior at a company event, leading to an investigation into allegations of sexual harassment. Mรผller's departure was mutually agreed upon, and he received a compensation payout of โฌ7.1 million ($7.5 million). The incident resulted in financial loss due to severance payments and could potentially damage SAP's reputation due to the nature of the misconduct and the public scrutiny of executive compensations.
Type: Misconduct
Threat Actor: Former CTO Jรผrgen Mรผller
Motivation: Inappropriate behavior
What are the most common types of attacks the company has faced?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
Impact of the Incidents
What was the impact of each incident?
Incident : Data Breach SAP527062525
Data Compromised: usernames, national IDs, bank account numbers
Systems Affected: SAP GUI Windows version, SAP GUI Java version
Incident : vulnerability SAP723051525
Systems Affected: over 1,200 instances
Incident : Zero-day attack SAP758042625
Systems Affected: Systems running the latest SAP service pack
Incident : Vulnerability Exploitation SAP443032025
Data Compromised: Customer data, Organizational data
Systems Affected: SAP NetWeaver Application Server Java
Operational Impact: Significant operational capacities disrupted
Incident : Misconduct SAP1007030425
Financial Loss: โฌ7.1 million ($7.5 million)
Brand Reputation Impact: Potential damage due to the nature of the misconduct and public scrutiny of executive compensations
What is the average financial loss per incident?
Average Financial Loss: The average financial loss per incident is $1.18 million.
What types of data are most commonly compromised in incidents?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are usernames, national IDs, bank account numbers, Customer data and Organizational data.
Which entities were affected by each incident?
Incident : Data Breach SAP527062525
Entity Type: Enterprise Software
Industry: Technology
Location: Global
Size: Large
Incident : Vulnerability Exploitation SAP909061025
Entity Type: Software Provider
Industry: Technology
Incident : Zero-day attack SAP758042625
Entity Type: Software Company
Industry: Information Technology
Location: Germany
Response to the Incidents
What measures were taken in response to each incident?
Incident : Vulnerability Exploitation SAP909061025
Remediation Measures: Implement SAP Security Note #3600840 and configure necessary role adjustments and profile parameters.
Incident : Zero-day attack SAP758042625
Remediation Measures: Emergency fix released by SAP
Incident : Vulnerability Exploitation SAP443032025
Remediation Measures: Patching, Applying CISA's advisories
Incident : Misconduct SAP1007030425
Remediation Measures: Mutual agreement on departure and compensation payout
Data Breach Information
What type of data was compromised in each breach?
Incident : Data Breach SAP527062525
Type of Data Compromised: usernames, national IDs, bank account numbers
Sensitivity of Data: High
Data Encryption: Weak or None
Personally Identifiable Information: True
Incident : Vulnerability Exploitation SAP443032025
Type of Data Compromised: Customer data, Organizational data
What measures does the company take to prevent data exfiltration?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Implement SAP Security Note #3600840 and configure necessary role adjustments and profile parameters., Emergency fix released by SAP, Patching, Applying CISA's advisories, Mutual agreement on departure and compensation payout.
Ransomware Information
Was ransomware involved in any of the incidents?
Incident : vulnerability SAP723051525
Ransomware Strain: ['BianLian', 'RansomEXX']
Lessons Learned and Recommendations
What lessons were learned from each incident?
Incident : Vulnerability Exploitation SAP909061025
Lessons Learned: Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.
What recommendations were made to prevent future incidents?
Incident : Vulnerability Exploitation SAP909061025
Recommendations: Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations.
Incident : Vulnerability Exploitation SAP443032025
Recommendations: Patch the vulnerability, Apply CISA's advisories
What are the key lessons learned from past incidents?
Key Lessons Learned: The key lessons learned from past incidents are Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.
What recommendations has the company implemented to improve cybersecurity?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations.Patch the vulnerability, Apply CISA's advisories.
References
Where can I find more information about each incident?
Incident : Data Breach SAP527062525
Source: Pathlock researcher Jonathan Stross and Fortinetโs Julian Petersohn
Incident : Vulnerability Exploitation SAP909061025
Source: Onapsis Report
Incident : Vulnerability Exploitation SAP443032025
Source: CISA Advisory
Where can stakeholders find additional resources on cybersecurity best practices?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Pathlock researcher Jonathan Stross and Fortinetโs Julian Petersohn, and Source: Onapsis Report, and Source: CISA Advisory.
Investigation Status
What is the current status of the investigation for each incident?
Incident : Misconduct SAP1007030425
Investigation Status: Ongoing investigation into allegations of sexual harassment
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident?
Incident : Data Breach SAP527062525
Root Causes: Outdated encryption and weak XOR key
Incident : Vulnerability Exploitation SAP909061025
Root Causes: Missing authorization check in RFC inbound processing.
Corrective Actions: Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments.
What corrective actions has the company taken based on post-incident analysis?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments..
Additional Questions
General Information
Who was the attacking group in the last incident?
Last Attacking Group: The attacking group in the last incident were an BianLian, RansomEXX and Former CTO Jรผrgen Mรผller.
Incident Details
What was the most recent incident detected?
Most Recent Incident Detected: The most recent incident detected was on 2025-01-01.
What was the most recent incident publicly disclosed?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-06-01.
What was the most recent incident resolved?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-04-01.
Impact of the Incidents
What was the highest financial loss from an incident?
Highest Financial Loss: The highest financial loss from an incident was โฌ7.1 million ($7.5 million).
What was the most significant data compromised in an incident?
Most Significant Data Compromised: The most significant data compromised in an incident were usernames, national IDs, bank account numbers, Customer data and Organizational data.
What was the most significant system affected in an incident?
Most Significant System Affected: The most significant system affected in an incident were SAP GUI Windows version, SAP GUI Java version and over 1,200 instances and Systems running the latest SAP service pack and SAP NetWeaver Application Server Java.
Data Breach Information
What was the most sensitive data compromised in a breach?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were usernames, national IDs, bank account numbers, Customer data and Organizational data.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.
What was the most significant recommendation implemented to improve cybersecurity?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations., Patch the vulnerability, Apply CISA's advisories.
References
What is the most recent source of information about an incident?
Most Recent Source: The most recent source of information about an incident are Pathlock researcher Jonathan Stross and Fortinetโs Julian Petersohn, Onapsis Report and CISA Advisory.
Investigation Status
What is the current status of the most recent investigation?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing investigation into allegations of sexual harassment.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Outdated encryption and weak XOR key, Missing authorization check in RFC inbound processing..
What was the most significant corrective action taken based on post-incident analysis?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments..
What Do We Measure?
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
