SAP cyberattack widens, drawing Salt Typhoon and Volt Typhoon comparisons
Hundreds of victims are surfacing across the world from zero-day cyberattacks on Europe’s biggest software manufacturer and company, in a campaign that one leading cyber expert is comparing to the vast Chinese government-linked Salt Typhoon and Volt Typhoon breaches of critical infrastructure.
The zero-days — vulnerabilities previously unknown to researchers or companies, but that malicious hackers have discovered — got patches this month and last month, but there are signs it could be getting worse before it gets better, according to Dave DeWalt, CEO of NightDragon, a venture capital and advisory firm. Ransomware gangs are now reported to be exploiting it, beyond the original Chinese government-connected attackers.
“The net of it is this is like the Typhoon size, so much like we saw [with] Volt Typhoon and then Salt Typhoon,” DeWalt told CyberScoop. “Once these exploits get into the wild, it’s a race to see who can get more access to it. So initially it looks like three Chinese actors all used it, and now we’re going to see more.”
A number of companies have been tracking the vulnerability and its consequences, including one, Onapsis, that DeWalt’s company invests in, along with EclecticIQ, ReliaQuest and Google’s Mandiant.
Onapsis has collaborated with Mandiant to develop an open-source tool to help organizations detect the attack, which is particularly stealthy, according to Mariano Nunez, CEO of Onapsis, who believes there are likely thousands of victims.
“We’ve discovered that attackers could actually deploy these attacks without even touching or without even creating web shells,” Nunez told CyberScoop. “They could execute commands in a way that they would not be detected through looking for web shells in the systems or artifacts.”
A couple other things make the vulnerabilities particularly worrisome, DeWalt said. One is that they affect SAP NetWeaver, which he noted sits in the “middleware” layer of SAP’s infrastructure and gives attackers a lot of options.
”I think of this like SolarWinds, where you’re able to get full remote access of the SAP system,” he said. “You could then modify, delete or insert data into SAP unchecked. You can turn off logging. You can add new administrators. You can exfiltrate. You can infiltrate. You can put code executables into the platform, very Orion-like, as part of the SolarWinds.”
Second, the patches require a full reboot. “Not many companies were willing to do a full reboot of SAP, because these are manufacturing and financial systems, and [there is] lots at stake when you’re doing a reboot like that,” DeWalt said.
The victims — 581 of them identified so far by EclecticIQ’s latest but likely just a partial count — are primarily in the United States, United Kingdom and Saudi Arabia, DeWalt said. They include critical infrastructure owners and operators in the fields of oil and gas, medical device manufacturing, water and waste management and government agencies.
Google Threat Intelligence Group told CyberScoop they have seen successful exploitation of one of the zero-days dating back to March.
“Exploitation, thus far, has been successful at posting files and web shells to vulnerable SAP servers, while evidence also suggests actors have been successful at command execution and exfiltrating data,” said Jared Semrau, a senior manager at Google Threat Intelligence Group.
But Nunez said the attacks are across all industries.
Also concerning is that news about the attack became public in late April, but Onapsis traced the attack back to Jan. 20. “Three months is a lot of dwell time in cyber,” DeWalt said. Jan. 20 was Inauguration Day for President Donald Trump, and there’s reason to believe that the attackers were interested in espionage on U.S. tariff negotiations, since much of the activity happened during the height of those talks, DeWalt said.
Governments in affected countries have been, or are being, briefed, he said.
SAP is urging users to patch their systems.
“SAP is aware of and has been addressing vulnerabilities in SAP NETWEAVER Visual Composer,” SAP told CyberScoop in a statement. “SAP issued a patch on April 24, 2025. A second vulnerability has also been identified and a patch was released on May 13, 2025. We ask all customers using SAP NETWEAVER to install these patches to protect themselves. The Security Notes can be found here.”
