Critical vulnerabilities in SAP systems have been reported, leading various ransomware and data extortion groups to take advantage of these weaknesses. Among the groups seen — either by Qilin, BianLian or RansomExx — in weaponizing these vulnerabilities to carry out attacks against critical infrastructure networks. Security specialists have raised the alarm about the dangers of remote code execution from these vulnerabilities. They argue that there’s a pressing need based on a series of Common Vulnerabilities and Exposures (CVEs) that endanger systems that remain unpatched.
SAP addressed these vulnerabilities in April/May 2025. Despite this, threat actors have actively exploited them as zero-day since at least March. CVE-2025-30012 and CVE-2025-31324 are listed in these vulnerabilities, both reaching a flawless CVSS score of 10.0. There are a dozen other critical vulnerabilities with a CVSS score of 9.1. Those are CVE-2025-42963, CVE-2025-42964, CVE-2025-42966, CVE-2025-42980, CVE-2025-42999. The high severity of these vulnerabilities has caused quite a stir among security professionals.
Exploitation Methods
The attack chain started by these vulnerabilities, pictured here, starts with CVE-2025-31324, which allows attackers to bypass authentication protections. This allows them to upload their own malicious payloads straight onto the SAP server. The exploit is able to run operating system commands with no further tool installation needed on the affected system. This characteristic contributes to its extreme danger.
Security experts are raising the alarm over these exploits’ enhanced capabilities, which can deploy web shells and enable living-off-the-land (LotL) attacks. This tactic enables threat actors not only to persist within compromised environments, but do so while leveraging tools and services often already present.
“These vulnerabilities allow an unauthenticated attacker to execute arbitrary commands on the target SAP System, including the upload of arbitrary files.” – Onapsis
Targeting Critical Infrastructure
The consequences of these vulnerabilities go beyond just lining the pockets of ransomware groups. It’s not just criminals. Several espionage crews associated with the Chinese government have used these weaknesses in their campaigns against critical infrastructure systems. This disturbing trend highlights the need for faster patching and heightened awareness amongst agencies and organizations utilizing SAP enterprise applications.
In response, SAP has released a series of recommendations to help their users reduce the risk of these threats. They recommend implementing the most recent patches as soon as possible and monitoring affected SAP applications for any indicators of compromise. On top of this, SAP recommends that users should immediately check access and prevent their SAP applications from web attack vectors.
“The publication of this deserialization gadget is particularly concerning due to the fact that it can be reused in other contexts, such as exploiting the deserialization vulnerabilities that were recently patched by SAP in July.” – Onapsis
Recommendations for Users
With the continued evolution of the threat landscape, organizations leveraging SAP systems need to stay one step ahead in order to properly protect their applications. The firm recommends all users to immediately install the new security patches as soon as possible. Be vigilant and aware of all efforts to try to take advantage through exploitation.
Continuous monitoring for anomalous activity across all SAP environments is key to early detection of a breach. For one, businesses must make sure access controls, like role-based security, are consistently enforced and even think about restricting external access to their SAP applications.