Why SAP Is No Longer a Black Box for Threat Actors

TLDR: Four years of threat intelligence data confirms that SAP systems are now primary targets for both sophisticated state-sponsored groups and opportunistic attackers. Rather than relying on zero-day vulnerabilities, these actors are aggressively weaponizing public exploits for known flaws like CVE-2020-6287 and CVE-2020-6207. Pentesters must shift their focus from simple internet-exposed services to the complex, interconnected nature of SAP landscapes where lateral movement is trivial once an initial foothold is established.

Security researchers and penetration testers have historically treated SAP environments as impenetrable, proprietary black boxes. That era is over. The reality of modern enterprise security is that SAP is not just a backend database; it is the backbone of global business operations, handling everything from HR records to supply chain logistics and financial transactions. Because these systems are so deeply integrated, they have become high-value targets for anyone looking to maximize their return on investment.

The Shift from Zero-Day to Public Exploits

Data analyzed over the last four years shows a clear trend: threat actors are moving away from the high cost and effort of developing zero-day exploits. Instead, they are focusing on the massive window of opportunity provided by known, unpatched vulnerabilities. When a critical vulnerability is disclosed, the time between the release of a proof-of-concept and its weaponization in the wild is shrinking.

Take the RECON vulnerability, CVE-2020-6287, as a prime example. This flaw in the SAP Solution Manager allows for unauthenticated remote code execution. It is not a subtle bug. It is a direct path to full system compromise. Threat actors are not just scanning for this; they are actively sharing scanners and exploit scripts on criminal forums to identify vulnerable instances. Once they have a foothold, they do not stop at the initial server. They use the interconnected nature of SAP to move laterally, targeting the transaction servers and point-of-sale systems that hold the real financial value.

Mechanical Realities of SAP Exploitation

For a pentester, the attack surface is often wider than it appears. The SAP Router is a frequent point of failure. If misconfigured, it acts as a gateway, allowing attackers to bypass perimeter defenses and interact directly with internal SAP services.

Consider the mechanics of an attack involving CVE-2020-6207. This vulnerability in the SAP Solution Manager allows an attacker to bypass authentication by manipulating the way the system handles HTTP requests. A simple payload can trigger the vulnerability:

POST /sap/bc/webdynpro/sap/admin_ui_service/ HTTP/1.1
Host: target-sap-system:8000
Content-Type: application/x-www-form-urlencoded

sap-wd-secure-id=...&...

Once the authentication check is bypassed, the attacker can execute administrative functions. In a real-world engagement, this is where the game changes. You are no longer just testing a web application; you are inside the management console of a multi-billion dollar organization. The impact is not just data exfiltration; it is the ability to manipulate business processes, alter financial records, or deploy ransomware across the entire landscape.

Why ROI Drives the Threat Landscape

Threat actors are rational economic agents. They are not attacking SAP because it is fun; they are attacking it because it pays. The price of exploits on the black market has skyrocketed. Five years ago, a reliable exploit might have been a niche item. Today, we see exploit acquisition programs offering hundreds of thousands of dollars for remote code execution vulnerabilities in SAP NetWeaver.

This financial incentive creates a feedback loop. As the value of these exploits increases, more researchers and criminal groups dedicate resources to finding them. The result is a landscape where even "script kiddies" can cause catastrophic damage by simply running a script they downloaded from a forum. If you are performing a penetration test, you must assume that the client’s SAP environment is already being probed by automated tools looking for these exact, well-documented vulnerabilities.

The Defensive Imperative

Defending these systems requires moving beyond the "perimeter-only" mindset. You cannot secure an SAP environment by just locking down the internet-facing web portal. The internal connections between the Solution Manager, the application servers, and the database are often where the most critical weaknesses lie.

Patching is the single most effective control, yet it remains the most neglected. If your client has not applied the security notes associated with the CVEs mentioned above, they are effectively running an open door. Security teams must implement a global view of their SAP landscape, ensuring that security notes are applied not just to the primary instances, but to every connected component.

Stop thinking of SAP as a separate, isolated silo. It is the most critical part of the network, and it is being treated as such by the people trying to break into it. If you are auditing these systems, look for the gaps in the internal trust model. Check for default credentials, verify the configuration of the SAP Router, and ensure that the administrative interfaces are not accessible to unauthorized internal users. The days of the black box are over, and the attackers have already opened it.