In late April 2025, SAP released an emergency patch for a critical vulnerability in SAP NetWeaver, sending security teams across Europe scrambling to assess their exposure. The flaw, CVE-2025-31324, was rated critically severe, and the details that followed made clear why.

Media reports quickly revealed the full scope. SAP NetWeaver Visual Composer allowed unauthenticated malicious file uploads through a specific HTTP API endpoint (/developmentserver/metadatauploader). Even worse, the vulnerability had reportedly been exploited since February or March, allowing attackers to drop backdoors (webshells) into public directories and take control of servers. Just four days after the patch release, over 1,100 systems were already compromised.

Consider Christian, a CISO at a mid-sized European enterprise where SAP NetWeaver underpinned core business operations, as it does in thousands of organizations and government agencies. Like every CISO that week, Christian faced one question from his board: are we affected?

EASM Helps But Has Its Limitations

Luckily, Christian’s company had invested in a robust External Attack Surface Management (EASM) platform. Unlike traditional CMDBs, EASM provides clear answers about which IT assets exist and, crucially, which are exposed externally. EASM continuously inventories domains, subdomains, IP ranges, cloud instances, SaaS platforms, web applications, APIs, exposed services, certificates, forgotten test systems, and shadow IT. After all, you cannot protect what you do not know.

SAP systems usually sit deep inside corporate networks, but some components are often visible externally, including gateways, web front-ends, partner portals, or old instances left online after migrations. Tools like Visual Composer, which allow web applications to be built via drag-and-drop in a browser, are especially likely to be internet-accessible. Christian’s team identified three exposed endpoints, which were prioritized for immediate patching.

Modern EASM platforms do more than detect exposed assets. They enrich findings with contextual data to identify known vulnerabilities, misconfigurations, and associated risks. They support prioritization and workflows, ideally integrating with ITSM and SIEM platforms.

Even though the EASM system flagged the exposed systems on 25 April and warned about the new vulnerability, patching alone could not guarantee the risk was eliminated. CVE-2025-31324 was a zero-day, and no one could be certain whether it had already been exploited to infiltrate the network.

Where EASM Falls Short

EASM platforms are invaluable for detecting attack points visible from the outside, such as open ports, outdated versions, weak TLS configurations, and known vulnerabilities. However, they cannot predict zero-days or detect what attackers have already achieved once inside, such as a backdoor installed months ago. Logic flaws, poor access controls, overly generous API permissions, and exploitable processes often require human insight to uncover.

Christian’s team examined logs, hunted for IoCs, and commissioned a thorough penetration test in which external white-hat hackers probed the system using automated and manual techniques. Only by 12 May could the team give management the all-clear.

Unfortunately, not everyone was so lucky. By mid-May, ransomware attacks exploiting CVE-2025-31324 increased, including campaigns linked to threat actors from China and Russia. Attackers chained it with another vulnerability discovered in May, CVE-2025-42999, combining code upload and execution. By August, ready-to-use exploits made it easier for less skilled attackers to strike.

Updating the Strategy

In 2025 alone, SAP issued 215 security alerts, averaging 18 per day, with nearly a third (31%) classified as critical (“HotNews”) or urgent (“High Priority”). When dealing with this volume of new vulnerabilities, an efficient security strategy must address three structural problems:

1. Rapidly growing attack surface: The attack surface of organizations is growing at an ever-increasing rate, driven in no small part by the unchecked trends toward cloud computing, SaaS, and “API first.” Effective EASM is indispensable here.
2. Zero-days and ever faster exploits: Attackers are often faster than EASM and patching processes, so additional lines of defense are needed.
3. Attack chains: Hackers regularly exploit multiple vulnerabilities to make their attacks more efficient, and even without a serious vulnerability, an asset can serve as a gateway through leaked access data or a combination of minor weaknesses. Once inside the network, attackers take their time finding their way to the crown jewels, and such attacks are difficult to detect or defend against automatically.

For organizations within NIS2 scope, or UK operators of essential services under the NIS Regulations, this is no longer just a question of good practice. Continuous visibility of exposed assets, timely vulnerability management, and demonstrable testing of defenses are increasingly tied to regulatory obligations, and a reactive posture is harder to justify to auditors, insurers, and boards.

Pen-testing Complements EASM

Penetration testing simulates real attacks in a controlled and authorized manner. Pentesters use the same tactics and tools as attackers to uncover risks, including vulnerable assets, configuration errors, social engineering susceptibility, and leaked credentials from the dark web. They attempt to compromise systems, escalate privileges, and move laterally across the network.

While EASM passively maps the attack surface without impacting infrastructure, pentesting actively challenges defenses, identifying vulnerabilities that EASM cannot detect. This includes business logic flaws and complex exploit chains requiring human insight. Pentests bridge the gap between theoretical exposure and practical exploitability.

Frequency matters. Traditional pentests are snapshots, but dynamic environments constantly introduce new attack surfaces. Continuous Pentesting-as-a-Service (PTaaS) combines human-led testing with automation, focusing on business-critical or high-risk areas, and results are delivered in real time on an online dashboard that provides a live overview of threats and mitigations.

Synergies Through Integration

This is exactly where synergies emerge when EASM and pentesting services are integrated as closely as possible. EASM provides an up-to-date view of security, while pentesting adds depth. EASM increases transparency and gives a better understanding of the attack surface, showing which external assets exist and which may carry risks, whether because of their exposure, known vulnerabilities, possible configuration issues, or business relevance. Pentesting then takes the most critical assets and thoroughly tests them to determine their actual risk potential.

If EASM identifies a web application as potentially vulnerable, initiating a pentest can be done with just a few clicks. Ideally, it should be possible to schedule EASM scans, review their results, initiate different pentesting actions such as quick, thorough, or continuous dynamic security tests, check the results and current security status, and have everything compiled into clear reports, all within a single, unified interface.

An integrated strategy that combines EASM with PTaaS leaves security teams far better prepared for the next zero-day, and the logical next step is integrating Digital Risk Protection (DRP) to surface compromised credentials and threat intelligence circulating on the dark web and social media.

With solutions from Outpost24, you can flexibly implement your own integrated EASM security strategy. For example, you can combine EASM and PTaaS in our CyberFlex solution, or integrate DRP modules into Outpost24 EASM through CompassDRP.

Contact us today or book a personalized demo to see our EASM and PTaaS solutions in action and discover how we can help close security blind spots in your organization.