SAP Company Cyber Security Posture
sap.comSAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the worldโs most complex and demanding processes. SAPโs integrated portfolio unites the elements of modern organizations โ from workforce and financials to customers and supply chains โ into a unified ecosystem that drives progress. SAP privacy statement for followers: www.sap.com/sps
SAP Company Details
sap
128087 employees
4025957.0
511
Software Development
sap.com
27
SAP_1049751
In-progress
SAP Risk Score (AI oriented)Between 900 and 1000
This score is AI-generated and less favored by cyber insurers, who prefer the TPRM score.
SAP Global Score.png)
SAP Company Scoring based on AI Models
| Model Name | Date | Description | Current Score Difference | Score |
|---|---|---|---|---|
| AVERAGE-Industry | 03-12-2025 | This score represents the average cybersecurity rating of companies already scanned within the same industry. It provides a benchmark to compare an individual company's security posture against its industry peers. | N/A | Between 900 and 1000 |
SAP Company Cyber Security News & History
| Entity | Type | Severity | Impact | Seen | Url ID | Details | View |
|---|---|---|---|---|---|---|---|
| SAP | Breach | 50 | 2 | 3/2025 | SAP1007030425 | Link | |
Rankiteo Explanation : Attack limited on finance or reputationDescription: Former CTO Jรผrgen Mรผller left SAP due to an 'incident' of inappropriate behavior at a company event, leading to an investigation into allegations of sexual harassment. Mรผller's departure was mutually agreed upon, and he received a compensation payout of โฌ7.1 million ($7.5 million). The incident resulted in financial loss due to severance payments and could potentially damage SAP's reputation due to the nature of the misconduct and the public scrutiny of executive compensations. | |||||||
| SAP | Ransomware | 100 | 5 | 5/2025 | SAP723051525 | Link | |
Rankiteo Explanation : Attack threatening the organization's existenceDescription: In late April, SAP fixed a severe bug in NetWeaver Visual Composer Metadata Uploader, affecting over 1,200 instances. Multiple ransomware operators, including BianLian and RansomEXX, exploited this flaw. The bug allowed unauthenticated actors to upload malicious executables. SAP also patched a separate critical zero-day vulnerability in NetWeaver server, tracked as CVE-2025-42999, with a severity score of 9.1/10. Both vulnerabilities were abused in attacks since January 2025. | |||||||
| SAP | Vulnerability | 100 | 5 | 3/2025 | SAP443032025 | Link | |
Rankiteo Explanation : Attack threatening the organizationโs existenceDescription: SAP's NetWeaver Application Server Java was found vulnerable to a critical directory traversal flaw identified as CVE-2017-12637. This vulnerability allows remote attackers to read arbitrary files, potentially leading to a compromise of sensitive information and system integrity. The flaw, given a CVSS score of 7.5, indicates a high severity risk. Being actively exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to mitigate this risk urgently by April 9, 2025. Failure to patch or apply CISA's advisories could lead to serious data breaches, affecting customer and organizational data and disrupting significant operational capacities. | |||||||
| SAP | Vulnerability | 100 | 5 | 4/2025 | SAP758042625 | Link | |
Rankiteo Explanation : Attack threatening the organizationโs existenceDescription: German software giant SAP's widely-used SAP NetWeaver was exploited due to a critical vulnerability in its Visual Composer development server. The vulnerability enabled an unauthenticated attacker to upload potentially harmful executable binaries. This compromise could significantly affect the confidentiality, integrity, and availability of the targeted system. The vulnerability was detected in April 2025 and assigned the highest severity score by SAP, 10.0 (CVSS v3.1). Although SAP quickly released an emergency fix, affected systems running the latest SAP service pack were already exploited, signifying a zero-day attack. | |||||||
| SAP | Vulnerability | 50 | 1 | 6/2025 | SAP909061025 | Link | |
Rankiteo Explanation : Attack without any consequencesDescription: A critical security vulnerability has been discovered in SAP NetWeaver Application Server for ABAP that allows authenticated attackers to bypass standard authorization checks and escalate their privileges within enterprise systems. The vulnerability, tracked as CVE-2025-42989 and assigned a CVSS score of 9.6, was addressed in SAPโs June 2025 Security Patch Day. The flaw allows low-privileged authenticated users to execute function modules without proper authorization verification, resulting in significant privilege escalation that can critically impact both system integrity and availability. | |||||||
| SAP | Vulnerability | 85 | 4 | 6/2025 | SAP527062525 | Link | |
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches. Researchers have discovered vulnerabilities in the product's user input history feature affecting both Windows and Java versions. These vulnerabilities could expose sensitive information such as usernames, national IDs, and bank account numbers, stored either unencrypted or protected with a weak, reusable XOR key. | |||||||
SAP Company Subsidiaries
SAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the worldโs most complex and demanding processes. SAPโs integrated portfolio unites the elements of modern organizations โ from workforce and financials to customers and supply chains โ into a unified ecosystem that drives progress. SAP privacy statement for followers: www.sap.com/sps
Access Data Using Our API
Get company history
Rapid.png)
SAP Cyber Security News
An Enterprise Security Perspective on Skipping Software Updates
Is the humble software update the unsung hero of modern enterprise security? It certainly doesn't get the attention it deserves.
Pathlock Launches Value-Driven SAP Cybersecurity Solutions to Combat Growing SAP Cyber Threats
Pathlock reinforces its commitment to SAP customers with a customer-driven shift โ launching a transparent, high-value SAP cybersecurity offering.
Critical vulnerability in SAP NetWeaver under threat of active exploitation
An SAP spokesperson confirmed that the company was alerted to a vulnerability in SAP NetWeaver Visual Composer that may have allowedย ...
CYFIRMA and SecurityBridge Partner to Strengthen SAP Cybersecurity with External Threat Intelligence
SAP systems are at the core of many businesses, managing critical operations like finance, logistics, and HR. Yet, securing these systemsย ...
Auto-Color malware paired with SAP NetWeaver bug to launch attack
An Auto-Color backdoor was observed launching a malware attack on the network of a U.S.-based chemicals company.
Auto-Color Backdoor Malware Exploits SAP Vulnerability
The malware, known as Auto-Color, was deployed in a targeted intrusion against a US-based chemicals company in April 2025. Threat Exploits SAPย ...
Hackers Exploiting SAP NetWeaver Vulnerability to Deploy Auto-Color Linux Malware
This vulnerability enables malicious actors to upload files to the server, potentially leading to remote code execution and full systemย ...
Onapsis Premieres New Book โCybersecurity for SAPโ at SAPinsider North America
Onapsis, the global leader in SAP cybersecurity and compliance, announces the launch of its highly anticipated book, โCybersecurity for SAPย ...
SAP NetWeaver Zero-Day CVE-2025-31324 Exploited by China APTs, 581 Breaches
A critical zero-day vulnerability in SAP NetWeaver (CVE-2025-31324) enables hackers to upload malicious files, execute code, and deploy malwareย ...
SAP Similar Companies
More than one billion people around the world use Instagram, and weโre proud to be bringing them closer to the people and things they love. Instagram inspires people to see the world differently, discover new interests, and express themselves. Since launching in 2010, our community has grown at a r
Epic
Join us in our mission to help the world get well, help the world stay well, and help future generations be healthier. We hire smart and motivated people from all academic majors to code, test, and implement healthcare software that hundreds of millions of patients and doctors rely on to improve ca
ServiceNow
ServiceNow (NYSE: NOW) makes the world work better for everyone. Our cloud-based platform and solutions help digitize and unify organizations so that they can find smarter, faster, better ways to make work flow. So employees and customers can be more connected, more innovative, and more agile. And w
Tencent
Tencent is a world-leading internet and technology company that develops innovative products and services to improve the quality of life of people around the world. Founded in 1998 with its headquarters in Shenzhen, China, Tencent's guiding principle is to use technology for good. Our communication
Founded in 2003, LinkedIn connects the world's professionals to make them more productive and successful. With more than 1 billion members worldwide, including executives from every Fortune 500 company, LinkedIn is the world's largest professional network. The company has a diversified business mode
Rakuten
Rakuten Group, Inc. (TSE: 4755) is a global technology leader in services that empower individuals, communities, businesses and society. Founded in Tokyo in 1997 as an online marketplace, Rakuten has expanded to offer services in e-commerce, fintech, digital content and communications to 1.9 billion
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
SAP CyberSecurity History Information
How many cyber incidents has SAP faced?
Total Incidents: According to Rankiteo, SAP has faced 6 incidents in the past.
What types of cybersecurity incidents have occurred at SAP?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Breach and Ransomware.
What was the total financial impact of these incidents on SAP?
Total Financial Loss: The total financial loss from these incidents is estimated to be $7.10 million.
How does SAP detect and respond to cybersecurity incidents?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with implement sap security note #3600840 and configure necessary role adjustments and profile parameters. and remediation measures with emergency fix released by sap and remediation measures with patching, applying cisa's advisories and remediation measures with mutual agreement on departure and compensation payout.
Incident Details
Can you provide details on each incident?
Incident : Data Breach
Title: SAP GUI Vulnerabilities Expose Sensitive User Data
Description: SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches. According to Pathlock researcher Jonathan Stross and Fortinetโs Julian Petersohn, a couple of information disclosure vulnerabilities affect the productโs user input history feature in its Windows (CVE-2025-0055) and Java (CVE-2025-0056) versions. The newly disclosed vulnerabilities affect how user-entered data like usernames, national IDs, and bank account numbers are stored locally, either unencrypted or protected with a weak, reusable XOR key.
Type: Data Breach
Attack Vector: Vulnerability Exploitation
Vulnerability Exploited: CVE-2025-0055, CVE-2025-0056
Incident : Vulnerability Exploitation
Title: Critical Privilege Escalation Vulnerability in SAP NetWeaver Application Server for ABAP
Description: A critical security vulnerability (CVE-2025-42989) in SAP NetWeaver Application Server for ABAP allows authenticated attackers to bypass standard authorization checks and escalate privileges within enterprise systems. The flaw resides within the RFC framework, affecting tRFC and qRFC operations, and was addressed in SAPโs June 2025 Security Patch Day.
Date Publicly Disclosed: 2025-06-01
Type: Vulnerability Exploitation
Attack Vector: Privilege Escalation
Vulnerability Exploited: CVE-2025-42989
Incident : vulnerability
Title: SAP NetWeaver Visual Composer Metadata Uploader Vulnerability
Description: In late April, SAP fixed a severe bug in NetWeaver Visual Composer Metadata Uploader, affecting over 1,200 instances. Multiple ransomware operators, including BianLian and RansomEXX, exploited this flaw. The bug allowed unauthenticated actors to upload malicious executables. SAP also patched a separate critical zero-day vulnerability in NetWeaver server, tracked as CVE-2025-42999, with a severity score of 9.1/10. Both vulnerabilities were abused in attacks since January 2025.
Date Detected: 2025-01-01
Date Resolved: 2025-04-01
Type: vulnerability
Attack Vector: unauthenticated upload, zero-day exploit
Vulnerability Exploited: CVE-2025-42999
Threat Actor: BianLian, RansomEXX
Motivation: financial gain
Incident : Zero-day attack
Title: SAP NetWeaver Visual Composer Vulnerability Exploitation
Description: A critical vulnerability in SAP NetWeaver's Visual Composer development server allowed an unauthenticated attacker to upload potentially harmful executable binaries, affecting the confidentiality, integrity, and availability of the targeted system.
Date Detected: April 2025
Type: Zero-day attack
Attack Vector: Unauthenticated upload of executable binaries
Vulnerability Exploited: Critical vulnerability in SAP NetWeaver Visual Composer development server
Incident : Vulnerability Exploitation
Title: SAP NetWeaver Application Server Java Directory Traversal Vulnerability
Description: SAP's NetWeaver Application Server Java was found vulnerable to a critical directory traversal flaw identified as CVE-2017-12637. This vulnerability allows remote attackers to read arbitrary files, potentially leading to a compromise of sensitive information and system integrity. The flaw, given a CVSS score of 7.5, indicates a high severity risk. Being actively exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to mitigate this risk urgently by April 9, 2025. Failure to patch or apply CISA's advisories could lead to serious data breaches, affecting customer and organizational data and disrupting significant operational capacities.
Type: Vulnerability Exploitation
Attack Vector: Directory Traversal
Vulnerability Exploited: CVE-2017-12637
Incident : Misconduct
Title: Inappropriate Behavior Incident Leading to CTO Departure
Description: Former CTO Jรผrgen Mรผller left SAP due to an 'incident' of inappropriate behavior at a company event, leading to an investigation into allegations of sexual harassment. Mรผller's departure was mutually agreed upon, and he received a compensation payout of โฌ7.1 million ($7.5 million). The incident resulted in financial loss due to severance payments and could potentially damage SAP's reputation due to the nature of the misconduct and the public scrutiny of executive compensations.
Type: Misconduct
Threat Actor: Former CTO Jรผrgen Mรผller
Motivation: Inappropriate behavior
What are the most common types of attacks the company has faced?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
Impact of the Incidents
What was the impact of each incident?
Incident : Data Breach SAP527062525
Data Compromised: usernames, national IDs, bank account numbers
Systems Affected: SAP GUI Windows version, SAP GUI Java version
Incident : vulnerability SAP723051525
Systems Affected: over 1,200 instances
Incident : Zero-day attack SAP758042625
Systems Affected: Systems running the latest SAP service pack
Incident : Vulnerability Exploitation SAP443032025
Data Compromised: Customer data, Organizational data
Systems Affected: SAP NetWeaver Application Server Java
Operational Impact: Significant operational capacities disrupted
Incident : Misconduct SAP1007030425
Financial Loss: โฌ7.1 million ($7.5 million)
Brand Reputation Impact: Potential damage due to the nature of the misconduct and public scrutiny of executive compensations
What is the average financial loss per incident?
Average Financial Loss: The average financial loss per incident is $1.18 million.
What types of data are most commonly compromised in incidents?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are usernames, national IDs, bank account numbers, Customer data and Organizational data.
Which entities were affected by each incident?
Incident : Data Breach SAP527062525
Entity Type: Enterprise Software
Industry: Technology
Location: Global
Size: Large
Incident : Vulnerability Exploitation SAP909061025
Entity Type: Software Provider
Industry: Technology
Incident : Zero-day attack SAP758042625
Entity Type: Software Company
Industry: Information Technology
Location: Germany
Response to the Incidents
What measures were taken in response to each incident?
Incident : Vulnerability Exploitation SAP909061025
Remediation Measures: Implement SAP Security Note #3600840 and configure necessary role adjustments and profile parameters.
Incident : Zero-day attack SAP758042625
Remediation Measures: Emergency fix released by SAP
Incident : Vulnerability Exploitation SAP443032025
Remediation Measures: Patching, Applying CISA's advisories
Incident : Misconduct SAP1007030425
Remediation Measures: Mutual agreement on departure and compensation payout
Data Breach Information
What type of data was compromised in each breach?
Incident : Data Breach SAP527062525
Type of Data Compromised: usernames, national IDs, bank account numbers
Sensitivity of Data: High
Data Encryption: Weak or None
Personally Identifiable Information: True
Incident : Vulnerability Exploitation SAP443032025
Type of Data Compromised: Customer data, Organizational data
What measures does the company take to prevent data exfiltration?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Implement SAP Security Note #3600840 and configure necessary role adjustments and profile parameters., Emergency fix released by SAP, Patching, Applying CISA's advisories, Mutual agreement on departure and compensation payout.
Ransomware Information
Was ransomware involved in any of the incidents?
Incident : vulnerability SAP723051525
Ransomware Strain: BianLian, RansomEXX
Lessons Learned and Recommendations
What lessons were learned from each incident?
Incident : Vulnerability Exploitation SAP909061025
Lessons Learned: Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.
What recommendations were made to prevent future incidents?
Incident : Vulnerability Exploitation SAP909061025
Recommendations: Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations.
Incident : Vulnerability Exploitation SAP443032025
Recommendations: Patch the vulnerability, Apply CISA's advisories
What are the key lessons learned from past incidents?
Key Lessons Learned: The key lessons learned from past incidents are Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.
What recommendations has the company implemented to improve cybersecurity?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations.Patch the vulnerability, Apply CISA's advisories.
References
Where can I find more information about each incident?
Incident : Data Breach SAP527062525
Source: Pathlock researcher Jonathan Stross and Fortinetโs Julian Petersohn
Incident : Vulnerability Exploitation SAP909061025
Source: Onapsis Report
Incident : Vulnerability Exploitation SAP443032025
Source: CISA Advisory
Where can stakeholders find additional resources on cybersecurity best practices?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Pathlock researcher Jonathan Stross and Fortinetโs Julian Petersohn, and Source: Onapsis Report, and Source: CISA Advisory.
Investigation Status
What is the current status of the investigation for each incident?
Incident : Misconduct SAP1007030425
Investigation Status: Ongoing investigation into allegations of sexual harassment
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident?
Incident : Data Breach SAP527062525
Root Causes: Outdated encryption and weak XOR key
Incident : Vulnerability Exploitation SAP909061025
Root Causes: Missing authorization check in RFC inbound processing.
Corrective Actions: Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments.
What corrective actions has the company taken based on post-incident analysis?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments..
Additional Questions
General Information
Who was the attacking group in the last incident?
Last Attacking Group: The attacking group in the last incident were an BianLian, RansomEXX and Former CTO Jรผrgen Mรผller.
Incident Details
What was the most recent incident detected?
Most Recent Incident Detected: The most recent incident detected was on 2025-01-01.
What was the most recent incident publicly disclosed?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-06-01.
What was the most recent incident resolved?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-04-01.
Impact of the Incidents
What was the highest financial loss from an incident?
Highest Financial Loss: The highest financial loss from an incident was โฌ7.1 million ($7.5 million).
What was the most significant data compromised in an incident?
Most Significant Data Compromised: The most significant data compromised in an incident were usernames, national IDs, bank account numbers, Customer data and Organizational data.
What was the most significant system affected in an incident?
Most Significant System Affected: The most significant system affected in an incident were SAP GUI Windows version, SAP GUI Java version and over 1,200 instances and Systems running the latest SAP service pack and SAP NetWeaver Application Server Java.
Data Breach Information
What was the most sensitive data compromised in a breach?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were usernames, national IDs, bank account numbers, Customer data and Organizational data.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Immediate implementation of security patches and careful planning of configuration changes are critical to mitigate vulnerabilities.
What was the most significant recommendation implemented to improve cybersecurity?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Organizations should prioritize the patch and carefully plan the implementation of authorization changes to avoid impacting existing system integrations., Patch the vulnerability, Apply CISA's advisories.
References
What is the most recent source of information about an incident?
Most Recent Source: The most recent source of information about an incident are Pathlock researcher Jonathan Stross and Fortinetโs Julian Petersohn, Onapsis Report and CISA Advisory.
Investigation Status
What is the current status of the most recent investigation?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing investigation into allegations of sexual harassment.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Outdated encryption and weak XOR key, Missing authorization check in RFC inbound processing..
What was the most significant corrective action taken based on post-incident analysis?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Implement SAP Security Note #3600840 and follow the FAQ Note #3601919 for proper role adjustments..
What Do We Measure?
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
