The System Running Your Factory Is Under Active Attack
In SAP ERP security 2026, manufacturing organizations are facing a critical shift: ERP systems are no longer passive back-office tools they are active attack surfaces. Systems like SAP control production, procurement, and supply chain operations, making them high-value targets.
Recent campaigns exploiting SAP NetWeaver vulnerability manufacturing environments, including CVE-2025-31324 manufacturing exploitation, show attackers are using ERP as the fastest path into production.
The real issue is not just vulnerabilities it is ownership. SAP environments are managed by ERP or BASIS teams, not security teams. This creates a manufacturing ERP cybersecurity blind spot, where systems operate without real-time visibility, WAF protection, or behavioral monitoring.
Why SAP Has Become the Most Valuable Entry Point Into Manufacturing
SAP S/4HANA and related platforms form the operational core of modern manufacturing. They connect production planning, logistics, finance, and supplier ecosystems into a single system. A partial list of what SAP controls in a typical plant:
- Production planning and scheduling: What gets manufactured, when, in what sequence, at which plant.
- Materials requirements planning: What raw materials need to be ordered, from which suppliers, and when.
- Supply chain management: Inbound and outbound logistics, warehouse management, supplier relationships.
- Quality management: Inspection records, test results, compliance documentation, non-conformance tracking.
- Financial accounting and controlling: Cost centers, profit and loss, accounts payable and receivable.
- Human resources: Payroll, headcount, workforce planning.
- Customer order management: Sales orders, delivery schedules, invoicing.
When attackers target SAP, they are not just stealing data they are influencing operations. A successful breach enables SAP data exfiltration manufacturing, manipulation of production workflows, and disruption of plant operations.
This expanded attack surface also makes SAP an ideal pivot point between IT and OT environments. Attackers are no longer breaking into factories through industrial control systems. They are logging in through ERP.
The SAP NetWeaver Attack Manufacturing Environments Cannot See
The most dangerous entry point is CVE-2025-31324, a SAP Visual Composer vulnerability enabling unauthenticated file uploads. Attackers deploy a SAP NetWeaver webshell with a single request. Another flaw, CVE-2025-42957 exploit, enables SAP ABAP code injection via RFC for persistence and control.
Another critical flaw, CVE-2025-42957 exploit, enables SAP ABAP code injection via RFC, allowing attackers to create admin accounts, modify data, and persist inside the system.
CVE-2025-31324 : CVSS 10.0 | Unauthenticated Remote Code Execution via NetWeaver Visual Composer
This vulnerability defines the current exposure level in manufacturing environments. An unauthenticated attacker can send a crafted POST request to
/developmentserver/ metadatauploaderand upload a malicious payload resulting in immediate remote code execution. Impact includes:
- SAP NetWeaver webshell deployment
- Full administrative control over SAP
- Direct access to databases and connected systems
- OS-level command execution
- Lateral movement across IT and OT environments
Exploitation was observed as early as March 2025, heavily targeting manufacturing. Public exploit tooling reduced attack time to minutes, enabling mass exploitation and ransomware follow-on attacks.
CVE-2025-42999 : CVSS 9.1 | Insecure Deserialization (Chained Exploit)
This vulnerability is typically chained with CVE-2025-31324. The combination enables in-memory execution with no file artifacts written to disk, making detection significantly harder. Both vulnerabilities were patched together, but chained exploitation was confirmed in the wild before widespread patching occurred.
CVE-2025-42957 : CVSS 9.9 | ABAP Code Injection via RFC, Active Exploitation Confirmed
This one targets SAP S/4HANA directly. A low-privileged attacker anyone with a basic user account, obtainable through a single phishing email can make a Remote Function Call (RFC) to a vulnerable ABAP module and inject arbitrary ABAP code into the system.
The consequences of successful exploitation include:
-
Creating superuser accounts with
SAP_ALLprivileges as persistent backdoors. - Reading and modifying data directly in the SAP database.
- Downloading hashed passwords for all SAP users.
- Altering business process logic modifying production orders, financial postings, procurement approvals.
- Full OS-level access on the underlying server.
SecurityBridge confirmed active exploitation in the wild. Pathlock observed exploitation activity surging immediately after the patch was released, as attackers reverse-engineered the fix to understand the vulnerability mechanics. Active exploitation was confirmed across multiple production environments.
Quick Reference: SAP Manufacturing CVE Summary (2025–2026)
All three require immediate patching. CVE-2025-31324 and CVE-2025-42957 have confirmed exploitation in manufacturing environments specifically.
How the SAP Attack Chain Works in Manufacturing
A typical manufacturing cyber attack ERP scenario begins with exploiting NetWeaver, followed by webshell deployment and persistence.
Most manufacturers expose SAP components such as Web Dispatcher, supplier portals, and cloud integration endpoints. The
/developmentserver/metadatauploaderendpoint is often accessible without authentication in unpatched systems.
A typical attack follows this sequence:
Step 1: Initial Access
Attackers scan for exposed SAP NetWeaver instances. A single POST request deploys a webshell. From initial scan to persistent access: minutes.
Step 2: Persistence
The webshell resides in
/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/a trusted directory rarely inspected by security tools. Access survives reboots and routine maintenance. Step 3: Reconnaissance
From inside SAP, attackers run internal network mapping commands and query SAP transaction codes to identify connected systems: databases, MES platforms, OT-integrated middleware, and supplier portals. SAP’s position as a central hub makes it ideal for mapping the full environment.
Step 4: Lateral Movement
Using SAP RFC exploitation and its trusted network position, attackers move toward connected systems. If SAP has access to MES or SCADA adjacent environments as it commonly does in integrated manufacturing operations it becomes a legitimate bridge into OT infrastructure. RFC traffic appears indistinguishable from routine SAP integrations.
Step 5: Impact
Nation-state actors focus on long-term data exfiltration: production schedules, supplier contracts, pricing data, and process specifications. Ransomware groups target the SAP database layer directly, simultaneously disrupting production scheduling, procurement, shipping, and financial operations.
This enables SAP lateral movement OT network scenarios, allowing attackers to pivot into MES or OT-adjacent systems. The attack typically ends with SAP data exfiltration manufacturing or a full SAP production data breach, often combined with ransomware.
Why Your Security Stack Cannot See This Attack
Most security tools are not designed for SAP environments. WAFs often do not sit in front of SAP, and even when they do, they lack SAP-specific intelligence. SIEM tools rarely ingest SAP logs effectively, and SAP traffic appears normal malicious requests resemble routine uploads, and exploits look like legitimate RFC calls.
- WAFs often do not sit in front of SAP-facing endpoints. When they do, they typically lack SAP-specific detection logic.
- SIEM tools rarely ingest SAP audit logs effectively. SAP generates logs in proprietary formats (SM20, Security Audit Log, System Log) that most platforms do not parse or correlate for SAP-specific threats.
- SAP traffic appears legitimate. RFC calls look like routine integrations. POST requests to the metadatauploader endpoint resemble development activity. Webshell execution appears as normal outbound HTTP.
- SAP is not treated as a security monitored asset. It sits under ERP or BASIS teams, outside the security program scope, excluded from penetration testing and scanning schedules.
This creates a manufacturing CISO ERP security gap, where attackers operate inside SAP without triggering alerts. Nation-state actors with confirmed links to Chinese intelligence services scanned and compromised over 580 SAP NetWeaver instances in a single campaign. Russia linked ransomware groups followed in a second wave, using established footholds to deploy encryption payloads. Public exploit tooling available today allows any attacker including low skilled actors to compromise an unpatched SAP instance in minutes.
Closing the Gap With Prophaze WAAP
Manufacturing environments cannot always patch immediately, making virtual patching SAP vulnerability strategies critical. Prophaze WAAP delivers AI-driven, unified security across SAP applications and APIs monitoring every request, session, and API call in real time without requiring code changes or production system modifications.
Key Capabilities:
Virtual Patching for SAP NetWeaver Exposure
Prophaze inspects live traffic and blocks exploit attempts targeting vulnerable SAP endpoints including
/developmentserver/metadatauploadermitigating risk from CVE-2025-31324 and similar vulnerabilities when patching is delayed or operationally constrained. AI-Driven Behavioral Monitoring
Continuously learns baseline SAP traffic patterns and detects anomalies across requests, sessions, and APIs. Identifies abnormal RFC call behavior, unauthorized ABAP activity, and access pattern deviations that signature-based tools miss entirely.
Unified API Security and Runtime Discovery
Automatically discovers and monitors all APIs connected to SAP environments, including shadow and undocumented endpoints. Eliminates the blind spots that make SAP such an attractive attack surface.
Real-Time Threat Detection and Response
Detects and blocks threats at runtime using in-application visibility. Stops exploit attempts, abnormal outbound requests from the ERP layer, and data exfiltration activity before impact.
East-West Traffic Visibility
Provides deep inspection of internal traffic between SAP systems and connected environments MES platforms, middleware, cloud analytics. Identifies lateral movement behavior before it reaches OT-adjacent systems.
Zero-Friction Deployment
Deploys in minutes with no code changes. Delivers unified visibility across cloud, hybrid, and on-premises environments without requiring changes to production SAP configuration.
Why SAP ERP Security Is Manufacturing's Biggest Unmanaged Risk in 2026
The rise of SAP ERP security vulnerabilities in manufacturing is not just a technical problem. It is a governance failure. SAP has been classified as a business system for decades. That classification excluded it from the security program, and attackers have noticed.
The evidence is unambiguous: confirmed exploitation in the wild, over 580 compromised instances in a single nation-state campaign, public exploit tooling available to anyone, and ransomware groups treating SAP databases as high-value encryption targets.
For SAP security manufacturing CISO leaders, the priority in 2026 is straightforward: bring SAP into the security program, monitor it in real time, and protect it at the application layer. The production backbone is not a back-office system anymore. It is a frontline attack surface.
The SAP Connections Your Security Platform Is Missing Right Now
Most manufacturing security teams have no visibility into SAP application traffic, no WAF coverage in front of SAP-facing endpoints, and no behavioral monitoring on RFC calls and ABAP activity. That is the gap that sophisticated attackers are exploiting right now.
If your security platform cannot block exploit attempts against SAP NetWeaver, detect abnormal outbound requests from your ERP layer, or alert when SAP is making connections to systems it has never called before your production backbone is exposed.
- One crafted POST request. One exposed SAP instance. Entire production operations at risk. Would your team detect it before disruption begins?
Stop SAP-layer attacks before they reach your production floor see how Prophaze does it.
