Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Breach and Ransomware.

Total Financial Loss: The total financial loss from these incidents is estimated to be $7.10 million.

Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with mutual agreement on departure and compensation payout, and remediation measures with patching, remediation measures with applying cisa's advisories, and remediation measures with emergency fix released by sap, and third party assistance with securitybridge (vulnerability discovery & patch development), and containment measures with apply august 2025 sap patch day updates, and communication strategy with sap customer bulletin (restricted access), communication strategy with securitybridge report, communication strategy with public advisory via bleepingcomputer, and incident response plan activated with yes (vulnerabilities patched), and containment measures with software patches released for cve-2025-42944, cve-2025-42937, cve-2025-42910, and remediation measures with users advised to apply security updates immediately, and communication strategy with public advisory via sap security notes, communication strategy with media coverage (e.g., securityaffairs)..

Common Attack Types: The most common types of attacks the company has faced is Vulnerability.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through RFC-Exposed Function Module in SAP S/4HANA.

Average Financial Loss: The average financial loss per incident is $1.01 million.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer Data, Organizational Data, , Usernames, National Ids, Bank Account Numbers, , Sensitive Business Data, Credentials, Potentially Pii and .

Incident Response Plan: The company's incident response plan is described as Yes (vulnerabilities patched).

Third-Party Assistance: The company involves third-party assistance in incident response through SecurityBridge (Vulnerability Discovery & Patch Development), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Mutual agreement on departure and compensation payout, Patching, Applying CISA's advisories, , Emergency fix released by SAP, , Users advised to apply security updates immediately, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by apply august 2025 sap patch day updates, , software patches released for cve-2025-42944, cve-2025-42937, cve-2025-42910 and .

Key Lessons Learned: The key lessons learned from past incidents are Critical vulnerabilities in enterprise software like SAP S/4HANA can be quickly weaponized if patches are delayed. The openness of ABAP code makes reverse-engineering fixes easier for threat actors, emphasizing the need for timely patching and proactive monitoring. RFC-exposed function modules are high-value targets for code injection attacks, requiring strict access controls and regular audits.Critical vulnerabilities in enterprise software like SAP NetWeaver can expose organizations to severe risks (e.g., arbitrary command execution) if left unpatched. Proactive patch management and input validation (e.g., deserialization, file uploads) are essential to mitigate such threats.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: CISA Advisory, and Source: Pathlock researcher Jonathan Stross and Fortinet’s Julian Petersohn, and Source: SecurityBridge Report on CVE-2025-42957, and Source: BleepingComputer Article, and Source: SAP Security Bulletin (August 2025 Patch Day), and Source: SecurityAffairsUrl: https://securityaffairs.com/153422/security/sap-fixed-maximum-severity-bug-netweaver.htmlDate Accessed: 2025-10-15, and Source: SAP Security Notes.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Sap Customer Bulletin (Restricted Access), Securitybridge Report, Public Advisory Via Bleepingcomputer, Public Advisory Via Sap Security Notes, Media Coverage (E.G. and Securityaffairs).

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Sap Customers (Via Restricted Bulletin), Enterprise Sap Administrators, Apply Patches Immediately, Monitor For Signs Of Exploitation, Review Sap Security Configurations, and SAP customers urged to apply patches for the three critical vulnerabilities..

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Securitybridge (Vulnerability Discovery & Patch Development), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Mandatory Patching For All Affected Sap Versions, Enhanced Logging And Monitoring For Abap Code Execution, Access Restrictions For Rfc Function Modules, Regular Vulnerability Assessments For Sap Environments, Collaboration With Sap And Securitybridge For Threat Intelligence, , Released Security Patches To Address The Vulnerabilities., Enhanced Input Validation Mechanisms In Affected Components., Encouraged Customers To Implement Least-Privilege Access Controls., .

Last Attacking Group: The attacking group in the last incident were an Former CTO Jürgen Müller and BianLianRansomEXX.

Most Recent Incident Detected: The most recent incident detected was on April 2025.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-10-15.

Most Recent Incident Resolved: The most recent incident resolved was on 2025-04-01.

Highest Financial Loss: The highest financial loss from an incident was €7.1 million ($7.5 million).

Most Significant Data Compromised: The most significant data compromised in an incident were Customer data, Organizational data, , usernames, national IDs, bank account numbers, and .

Most Significant System Affected: The most significant system affected in an incident was SAP NetWeaver Application Server Java and Systems running the latest SAP service pack and and SAP GUI Windows versionSAP GUI Java version and and SAP NetWeaverSAP Print Service (SAPSprint)SAP Supplier Relationship Management.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was securitybridge (vulnerability discovery & patch development), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Apply August 2025 SAP Patch Day Updates, Software patches released for CVE-2025-42944, CVE-2025-42937 and CVE-2025-42910.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Organizational data, usernames, bank account numbers, national IDs and Customer data.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Critical vulnerabilities in enterprise software like SAP S/4HANA can be quickly weaponized if patches are delayed. The openness of ABAP code makes reverse-engineering fixes easier for threat actors, emphasizing the need for timely patching and proactive monitoring. RFC-exposed function modules are high-value targets for code injection attacks, requiring strict access controls and regular audits., Critical vulnerabilities in enterprise software like SAP NetWeaver can expose organizations to severe risks (e.g., arbitrary command execution) if left unpatched. Proactive patch management and input validation (e.g., deserialization, file uploads) are essential to mitigate such threats.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Engage with SAP and SecurityBridge for guidance on securing vulnerable systems., Implement strict file type/content validation for uploads in SAP Supplier Relationship Management., Monitor for unauthorized file modifications in SAP Print Service (SAPSprint)., Conduct regular security audits for deserialization vulnerabilities in Java-based applications., Apply SAP security patches for CVE-2025-42944, CVE-2025-42937, and CVE-2025-42910 immediately., Patch the vulnerability, Restrict access to SAP customer bulletins and ensure internal teams are aware of critical vulnerabilities., Immediately apply SAP's August 2025 Patch Day updates for affected products., Restrict network access to SAP NetWeaver’s RMI-P4 module and other exposed services., Apply CISA's advisories, Conduct a thorough audit of RFC-exposed function modules in SAP environments., Monitor for unusual activity in SAP logs, particularly related to ABAP code execution., Implement least-privilege access controls for SAP users to mitigate code injection risks. and Consider network segmentation to isolate SAP systems from untrusted networks..

Most Recent Source: The most recent source of information about an incident are CISA Advisory, SecurityBridge Report on CVE-2025-42957, Pathlock researcher Jonathan Stross and Fortinet’s Julian Petersohn, SecurityAffairs, SAP Security Bulletin (August 2025 Patch Day), SAP Security Notes and BleepingComputer Article.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://securityaffairs.com/153422/security/sap-fixed-maximum-severity-bug-netweaver.html .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing investigation into allegations of sexual harassment.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was SAP Customers (via restricted bulletin), Enterprise SAP Administrators, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Apply patches immediatelyMonitor for signs of exploitationReview SAP security configurations and SAP customers urged to apply patches for the three critical vulnerabilities.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Outdated encryption and weak XOR key, Unpatched SAP systems vulnerable to CVE-2025-42957Insufficient access controls for RFC-exposed function modulesDelayed patching despite critical CVSS score (9.9)Ease of reverse-engineering ABAP code fixes, Insecure deserialization in SAP NetWeaver (lack of input validation for Java objects).Missing path traversal protections in SAP Print Service.Inadequate file type/content verification in SAP Supplier Relationship Management..

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Mandatory patching for all affected SAP versionsEnhanced logging and monitoring for ABAP code executionAccess restrictions for RFC function modulesRegular vulnerability assessments for SAP environmentsCollaboration with SAP and SecurityBridge for threat intelligence, Released security patches to address the vulnerabilities.Enhanced input validation mechanisms in affected components.Encouraged customers to implement least-privilege access controls..