Expanded duration of illicit manipulation of Oracle and SAP security weaknesses poses a threat to their security

Vulnerabilities exploited in the time span of 2021-2022, as detailed in Mandiant's Time-To-Exploit-Trends report, have shed some interesting light on the global cyber landscape. For the purpose of this discussion, we will draw comparisons between these trends and the findings of Onapsis...

, and Administrator

2025 September 29 . 6:44 AM

2 min read

Increased aggressive tendencies in the lengths of time miscreants capitalize on Oracle and SAP's... — Increased aggressive tendencies in the lengths of time miscreants capitalize on Oracle and SAP's software weaknesses impact the organizations' overall security.

Expanded duration of illicit manipulation of Oracle and SAP security weaknesses poses a threat to their security

In the ever-evolving digital landscape, businesses are facing a new challenge: the rapid exploitation of vulnerabilities in SAP and Oracle systems. Just 72 hours after SAP released a patch for the RECON vulnerability (CVE-2020-6287), active exploitation was detected, underscoring the urgency for companies to stay vigilant.

This trend of quicker exploitation times is concerning, as it gives defenders less time to respond and address the vulnerabilities. Onapsis Research Labs, a cybersecurity firm specialising in protecting SAP and Oracle systems, fears that this may not be an isolated incident and anticipates a rise in the number of such vulnerabilities in the coming years.

The increasing complexity of applications, digital transformation in the cloud, and the booming "black-hat business" present ever-growing challenges in ensuring security and managing the growing number of discovered vulnerabilities for software vendors.

The National Vulnerability Database corroborates this, showing a year-on-year increase in the number of Common Vulnerabilities and Exposures (CVEs). Keeping up with these vulnerabilities can be a significant challenge for companies and users, especially when offering patch management for critical ERP systems that cannot afford to go down.

To help teams understand their vulnerabilities and prioritise patches, Onapsis offers a platform that is the only SAP-supported solution addressing these processes in an integrated way with the existing stack. The platform aids in identifying ERP applications, modules, and components to better understand the attack surface and threat landscape.

Moreover, Onapsis advises understanding what vulnerabilities exist and which patch guidelines apply, developing a plan to prioritise and address security vulnerabilities, recognising that vulnerabilities affecting other providers besides Microsoft, Apple, or Google are increasingly targeted by threat actors, and considering integrating the security of business-critical applications more closely into existing security programs.

Recent reports indicate that threat actors are increasingly targeting a broader range of software, including software not managed by these three major providers. For instance, the Mandiant report suggests that N-Day vulnerabilities, those published without patches, are more likely to be exploited within the first month of being known, even if the first exploitation was spread over a six-month period.

CISA included SAP and Oracle vulnerabilities in its Cybersecurity Advisory for the most exploited vulnerabilities of the year 2022. Interestingly, the current providers with the most vulnerabilities, according to Mandiant's Time-To-Exploit-Trends report, are primarily SAP and Oracle themselves, with SAP having a significant number of vulnerabilities exploited within shorter timespans.

This is historically the first time that more than half of the exploited vulnerabilities are on providers other than the three major operating system and application software providers. According to Mandiant, more than 50% of the total exploited vulnerabilities are on providers other than Microsoft, Google, and Apple.

Older vulnerabilities are still valuable targets for threat actors, as shown by the continued exploitation of vulnerabilities like ICMAD (CVE-2022-22536), RECON (CVE-2020-6287), and Invoker Servlet vulnerability (CVE-2010-5326). The increasing number of CVEs leads to an increase in the number of security vulnerabilities actually exploited in the wild.

In conclusion, businesses must be proactive in understanding and addressing the vulnerabilities in their SAP and Oracle systems. The rapid exploitation of these vulnerabilities underscores the importance of staying informed, prioritising patches, and integrating security more closely into existing programs.