ERP Systems in the Crosshairs

The incident surrounding CVE-2025-31324 in SAP NetWeaver Visual Composer in the spring of this year began like many security reports: as a technical note that only seemed to concern specialists. A few days later, it became apparent that the vulnerability had been exploited on a large scale. The CVSS score of 10 signaled that this was one of the most dangerous vulnerabilities known in ERP systems in recent years.

Prepared HTTP requests

Attackers specifically exploited the gap to inject malicious code via prepared HTTP requests, install web shells and thus establish long-term remote access - among other things, to be able to access sensitive data. Not only productive systems were affected, but also test and development systems that were accessible via the internet. Particularly sensitive: Even in cloud scenarios such as in Rise environments, where Visual Composer was not officially used, the component was installed - and the system was therefore theoretically vulnerable. This shows that attackers no longer only target productive core modules, but also use peripheral components as a gateway into the heart of the ERP landscape.

A successful attack on an ERP system is rarely limited to one area. In the example of a manufacturing company, production lines can come to a standstill, deliveries can be delayed, stock levels can be displayed incorrectly or orders can be executed incorrectly. In the very worst case, the incident spreads along the supply chain - and also affects partners and customers.

In a networked world, the failure of an ERP system can cause lasting damage to a company's reputation. Listed companies also risk a loss in share price if attacks become public. Compliance obligations such as reporting deadlines to supervisory authorities add to the pressure. Strategic security is therefore the be-all and end-all.

The limits of cloud trust

For many companies, Rise with SAP is the key to modernizing their ERP landscape. The provider takes over the infrastructure, operating system and database patches, which frees up resources. But this is precisely where the pitfall lies: security responsibility does not end at the edge of the provider stack.

Everything that goes beyond the basic infrastructure, such as customer-specific extensions, roles and authorizations, interfaces to partners and external applications, is the responsibility of the company.

Zero-day case

The zero-day case makes it clear that gaps can occur anywhere and threaten the entire company - even in areas that are not actively used. If all systems and interfaces are not regularly checked and patched, an unnoticed attack surface is created that grows and grows.

In practice, companies are therefore increasingly relying on automated vulnerability scans and continuous monitoring solutions, such as those provided by specialized providers like Onapsis.
Such tools help to keep an eye on even complex Rise environments around the clock and at the same time relieve the burden on security teams - an important factor not only with regard to increasingly complex attacks, but also in view of increasing requirements and the shortage of specialists in IT security.

The migration to Rise with SAP is not only a technically necessary project, but also an opportunity to identify and eliminate legacy issues. In practice, however, complete systems are often transferred "lift-and-shift" - including outdated custom codes, unused modules and open interfaces.

Legacy issues in our sights

These legacy systems are an attractive target for attackers. They often contain known but unpatched code, which poses a high risk to the system, and their protection falls through the cracks if the focus is exclusively on the new platform.

A thorough inventory before systems go into the cloud is therefore essential in order to gain transparency and eliminate any applications, custom codes, interfaces and similar that are not (or no longer) in use. Inventory and analysis tools support ERP teams in identifying and prioritizing potential risks before they become weak points.

High-risk ERP environment

ERP systems are increasingly being targeted by organized cybercrime. In addition to targeted attacks by private attackers and state-sponsored groups, ransomware campaigns are also on the rise, which specifically paralyze business processes to support ransom demands.

Attackers are increasingly using combinations: First, for example, initial access is gained via an unpatched vulnerability, then authorizations are extended, data is siphoned off and - often weeks later - the systems are encrypted. This step-by-step approach makes detection more difficult and increases the damage.

In the worst case, the attack is only noticed at the moment of encryption. Then, when it is already too late and sensitive information has already been circulated.
Up-to-date threat information from specialized research laboratories, such as the Onapsis Research Labs, can help to identify new attack patterns at an early stage and initiate countermeasures before damage occurs.

They provide comprehensive information about their observations in real time and give recommendations for action to protect companies and their ERP systems in the best possible way.
Vulnerabilities such as the zero-day vulnerability outlined at the beginning of the article illustrate the importance of fast response times. Attackers often start searching for vulnerable systems just hours after exploit details are published.

Companies that need too much time for testing, approvals and therefore patching are significantly increasing their risk. This is where automation plays a key role. Automated solutions can prioritize patches and configuration changes, analyze dependencies and document implementation - which not only increases speed, but also supports audit requirements. Especially in times of scarce personnel resources, this relief is also a decisive advantage.

Monitoring and analytics

The amount of data in Rise or hybrid ERP environments is enormous. Without intelligent analysis, "noise" can easily arise in which real threats are lost. Appropriate automated analysis processes can identify patterns here that would hardly be visible manually - such as unusual access patterns to certain tables or a sudden accumulation of failed logins from geographically distant regions. Providers such as Onapsis combine such analysis functions with threat information from their own research labs. This allows detected anomalies to be evaluated not only technically, but also in the context of current attack campaigns. This makes it possible to determine more quickly whether an incident is isolated or part of a larger, coordinated wave of attacks.

Compliance as a driver

If, for example, a globally active chemical company discovers that an ERP interface to a laboratory system is connected to the internet without protection, this can not only jeopardize production processes but also violate environmental regulations. A retail company whose cloud ERP is accessible via insecure API endpoints risks not only financial losses but also long-term reputational damage. Such scenarios are realistic - and avoidable.

In addition, regulatory requirements such as the European Union's NIS2 Directive, industry-specific security standards and international norms are increasing the pressure to reliably protect ERP systems and sensitive data. Those who act proactively here not only reduce the risk of fines, but also create a resilient security architecture.

These compliance frameworks act as a catalyst: they force organizations to document their security processes, define responsibilities and carry out regular reviews. But this alone does not protect. If audits are only formally fulfilled while real security gaps remain, a false sense of security is created. An integrated approach that dovetails compliance requirements and technical protection measures - supported by continuous, automated checks - is therefore crucial.

Conclusion: Proactivity as a guiding principle

ERP security must not be reduced to simply applying patches. It is necessary to establish a continuous process: regular inventories and assessments, risk analyses, training and the close integration of IT and specialist departments. Cloud models such as Rise with SAP do nothing to change this. On the contrary: they require security processes to function seamlessly across company boundaries - from the provider to internal IT teams and external partners. Only those who approach their ERP security proactively and strategically, supported by modern automation and sound threat intelligence, can remain capable of acting in a threat situation such as the one that is omnipresent today.