Anatomy of a Breach

Anatomy of a Breach: SAP NetWeaver — Critical Vulnerability in Enterprise Backbone Exploited at Scale

> series: anatomy_of_a_breach —— part: 198 —— target: sap_netweaver —— organisations: 400,000 —— risk: core_business_operations<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2025 12 min read
sap netweaver enterprise erp critical-vulnerability mass-exploitation series
Breach #198

SAP NetWeaver. 400,000 organisations. The enterprise backbone under active attack.

In mid-2025, multiple threat actors began actively exploiting a critical vulnerability in SAP NetWeaver — the application server platform that underpins SAP's enterprise resource planning (ERP) systems. SAP is used by approximately approximately 400,000 organisations worldwide — including the majority of the world's largest companies — to run core business functions: finance and accounting, supply chain management, human resources, manufacturing execution, and procurement. A vulnerability in NetWeaver represented a vulnerability in the operational backbone of global business.

SAP released patches, but the exploitation window — between vulnerability discovery and patch application — created significant risk for organisations with complex SAP landscapes that could not be patched immediately. The incident echoed previous mass exploitation events targeting enterprise infrastructure: Microsoft Exchange/Hafnium (2021), MOVEit (2023), and the Log4Shell (2021) vulnerability — all cases where critical vulnerabilities in widely-deployed enterprise software created mass exploitation opportunities. The M&S breach was subsequently linked to an unpatched NetWeaver vulnerability, demonstrating the real-world consequences of delayed patching.

Enterprise Infrastructure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When your ERP is compromised, everything stops.

SAP = Core Business Operations
SAP systems manage payroll, procurement, manufacturing, supply chain, and financial reporting. A compromise of SAP can halt business operations across every function simultaneously. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> includes SAP and ERP security assessment.
Patch Complexity in ERP Environments
SAP landscapes are complex, customised, and business-critical — making patching slower than for standard software. <a href="/cyber-essentials">Cyber Essentials Danzell's</a> 14-day patching mandate must be achievable even for complex ERP environments. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched SAP components.
Internet-Facing SAP Components
Some SAP NetWeaver components — including web dispatchers and portal interfaces — are exposed to the internet. When critical vulnerabilities exist in internet-facing SAP components, they become immediate targets for mass exploitation. Our <a href="/vulnerability-scanning">external vulnerability scanning</a> identifies exposed enterprise application servers.
Enterprise Software as Critical Infrastructure
SAP, Oracle, Microsoft — enterprise software platforms are as critical to business operations as electricity and telecommunications. Their security must be treated with proportionate rigour. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors enterprise application access patterns for anomalies. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response for enterprise platform compromises.
Lessons

Your ERP is your business. Patch it. Test it. Monitor it.

The SAP NetWeaver exploitation demonstrated that enterprise application platforms require the same patching urgency as operating systems and network devices. Cyber Essentials mandates 14-day patching. Vulnerability scanning identifies unpatched SAP components. Infrastructure testing assesses ERP security. SOC in a Box monitors for exploitation attempts. And UK Cyber Defence provides incident response when enterprise platforms are compromised.

Enterprise Application Security

SAP NetWeaver under active attack. Is your ERP patched and tested?

<a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched SAP. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses ERP security. <a href="/cyber-essentials">Cyber Essentials</a> mandates patching.

Commission an Enterprise Assessment Next: SharePoint Zero-Day
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2023

Anatomy of a Breach: MOVEit Transfer — Cl0p's Mass Exploitation Campaign That Hit 2,500 Organisations

Breach #173. In late May 2023, the Cl0p ransomware group began mass-exploiting a zero-day SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer — a managed file transfer (MFT) application used by thousands of organisations to securely exchange sensitive data. Cl0p had discovered and exploited the vulnerability before it was publicly known, deploying web shells on vulnerable MOVEit servers and exfiltrating data at industrial scale. The campaign ultimately affected over 2,500 organisations and exposed the personal data of more than 60 million individuals worldwide — making it the most impactful supply chain breach since SolarWinds.

moveit clop
15 min read
Anatomy of a Breach 31 March 2021

Anatomy of a Breach: Microsoft Exchange and Hafnium — 250,000 Servers Compromised in a Global Mass Exploitation Event

Breach #147. In March 2021, Microsoft disclosed that Hafnium — a Chinese state-sponsored threat group — had been exploiting four zero-day vulnerabilities in Microsoft Exchange Server (collectively known as ProxyLogon) to compromise on-premises Exchange servers worldwide. The vulnerabilities allowed unauthenticated remote code execution, enabling attackers to access email, install web shells for persistent access, and move laterally through networks. An estimated 250,000 Exchange servers globally were compromised before patches were applied — including thousands of UK organisations. The mass exploitation was indiscriminate: once the vulnerabilities became public, multiple threat groups began scanning and exploiting every unpatched Exchange server on the internet.

microsoft-exchange hafnium
14 min read
Anatomy of a Breach 31 March 2026

Anatomy of a Breach: European Commission and Stryker — EU Government Cloud Attacked and Iran-Linked Group Hits Medical Technology

Breach #207. March 2026 brought attacks against both government and healthcare infrastructure. On 24 March, the European Commission disclosed that a cyber attack had struck the cloud infrastructure hosting the Europa web platform — with data taken from affected websites. The full scope remained under investigation. Separately, medical technology company Stryker experienced a significant cyber attack linked to an Iran-aligned hacktivist group. The attacks demonstrated that government cloud platforms and medical device manufacturers — both critical to the functioning of society — remain persistent targets for nation-state and hacktivist groups.

european-commission stryker
13 min read
All Posts Get in Touch