☰
Insights on SAP cybersecurity, patch management, and vulnerability analysis.
It is time to summarize the results of another completed year. In 2025, information about 215 new SAP security vulnerabilities was published. In addition, 6 vulnerabilities from previous years were updated. This represents clear growth compared to 2023–2024; however, when looking at a longer historical period, we have effectively returned to average levels.
12.6% of all released SAP Security Notes were rated as HotNews, which can be considered an average result. On average, 18 vulnerabilities were published per month. The busiest months were July and September, while January, June, and October were the least active. It is difficult to draw strong conclusions from this distribution—most likely, it reflects internal limitations of SAP’s patch release processes rather than any external factors.
Every fifth Security Note (20%) was updated during the year. For a vendor such as SAP, this quality level appears relatively low. In most cases, updates affected only the descriptive part of the note, but even so, this indicator could clearly be improved. Unfortunately, such a high update rate reduces trust in the vendor and discourages customers from installing patches quickly. Why rush to implement a fix if it may be updated again in one or two months?
SAP itself discovered only 17% of the vulnerabilities released in 2025. In 83% of cases, external security researchers were involved. This suggests that the high number of Security Notes this year is largely due to the active participation of third-party companies. Without them, the number of fixed vulnerabilities would have been significantly lower. This is an impressive achievement—external researchers found more vulnerabilities than the vendor itself, despite the fact that SAP has full access to the source code.
With a significant lead, Onapsis took first place in vulnerability discovery. Their team identified 23% of all vulnerabilities and more than 50% of all HotNews fixes. The second-best result belongs to SAP’s internal team. It is also worth highlighting the remarkable growth of SecurityBridge: 2023 - 1 Security Note, 2024 - 4 Security Notes, 2025 - 17 Security Notes. We will continue to observe whether this was a one-time spike or a serious strategic shift.
The most common vulnerability type in 2025 was Missing Authorization Check, accounting for approximately 25% of all Security Notes. When considering only the most critical issues (HotNews), the leading categories were: Code Injection, Insecure Deserialization, Missing Authorization Check.
Now let us look at the most frequently patched software. Among SAP components, the leader was BI-BIP-INV, part of the SAP BusinessObjects platform. At the software component level, the most affected were the core elements of the ABAP platform: SAP_BASIS, S4CORE. The most common versions were: SAP_BASIS 753/754, S4CORE 107/108. These are likely the most widely used versions during the year.
Finally, some interesting figures related to long-term dynamics. It makes sense to compare vulnerabilities by software type, as new products appear every year. In 2025, we see a significant increase in the number of ABAP-related Security Notes compared to previous years. However, the peak of 2016 has not yet been reached. Still, this year set an important record: the highest number of ABAP HotNews Security Notes ever released. The reasons behind this are difficult to determine. One possible explanation is a more accurate and honest assessment of vulnerability criticality. Between 2015 and 2018, the number of HotNews notes was suspiciously low.
That concludes this review. The numbers clearly show that the overall number of vulnerabilities is not decreasing and, in some categories, is even increasing. So let us not relax—regular and timely patching of SAP systems remains critical. As a reminder, quickly identifying missed vulnerabilities—without installing ABAP modules or dealing with roles and privileges—is possible using our software solution Offline Security.