Five years after launching its rescue plan to lift ERP users to the cloud and switch them to the latest software, SAP is off target by about €2 billion, The Register can reveal.

Users reliant on SAP’s legacy ERP software – including global businesses such as Airbus and BMW – are facing the end of mainstream support in 2027, but the German software giant has already changed its stance on support deadlines. As it misses migration targets, some experts see a change in emphasis.

In October 2020, SAP CEO Christian Klein promised a new strategy after cuts to its sales and margin outlook caused a 23 percent share price crash.

Speaking to investors, he said it would involve “accelerated technical migration of our customers’ most important business applications to the cloud” in a platform powered by SAP S/4HANA, the in-memory database.

The following January, SAP introduced customers to the new plan called RISE with SAP. For starters, RISE with SAP promised a lift-and-shift of complex SAP environments into public, private, and hybrid clouds. In addition, it planned to move users of ERP software older than S/4HANA onto the latest in-memory platform launched in 2015. Third parties signing up to the plan included Accenture, Atos, Capgemini, Cognizant, and Deloitte Consulting, as well as cloud providers AWS, Microsoft Azure, and Google Cloud.

Early last year, it emerged that SAP may have strayed off target. Figures from the end of Q4 2024 showed only 39 percent of worldwide ECC customers – from a total of 35,000 – had bought or subscribed to licenses to start their transition to SAP S/4HANA. The figure was up marginally on the 34 percent recorded for the same quarter a year earlier.

These are the most recent figures available on ECC migration. Last year, SAP replaced RISE with SAP S/4HANA Cloud Private Edition with SAP Cloud ERP Private Edition, creating confusion over licensing. The move also made it more difficult to compare like-with-like in terms of reported migration figures.

On-prem support revenue shows cloud migration behind schedule

However, since SAP bundled cloud migration and ERP upgrades together, on-prem software support revenue – which relates almost exclusively to ERP with a small chunk of data warehouse software – acts as a proxy for cloud adoption. As cloud revenue goes up, on-prem software support goes down because support is included with cloud revenue. SAP already knew this.

In 2022, then-CFO Luka Mucic told investors that for 2025, SAP wanted to see €8.5 billion in support revenues, down from around €11.5 billion in 2021, as users move from on-prem licenses and support to cloud subscriptions. But the 2025 full-year figure for on-prem software support is €10.5 billion, down only 7 percent from 2024’s €11.29 billion. That’s €2 billion off where SAP wanted to be, or about 24 percent more than it should have been. Between 2021 and 2024, the category only fell 2 percent.

In fact, Mucic, who left SAP in 2022, told investors in 2020 the company would be “arriving fully in the cloud come 2025.” With €8.5 billion in on-prem software support revenues for that year, SAP is a long way from where it said it would be, whichever way you measure it.

As well as the carrot of an in-memory database, and promise of “innovation” only with S/4HANA in the cloud, SAP has the stick of ending software support. Mainstream support for ECC ends in 2027, while extended support is available at a two percent premium until the end of 2030. Signing up to a cloud migration deal gives customers a stay of execution until 2033 in some circumstances.

Business case still a barrier for legacy users

The question is why are some customers so reluctant to give up on their ECC software? The most straightforward answer is that they don’t see the value. Last year, Freeform Dynamics’ survey of 455 CIOs, senior-level IT roles, SAP specialists, and business managers found 95 percent of legacy users say building a positive case to migrate requires a big effort or is genuinely challenging. The research echoes concerns shared by user groups and individual users over the last five years.

This may be down to the mantra that this is not a software upgrade. Ideally, SAP expects users to rid their ERP software of any customization built for ECC and move to S/4HANA and the cloud with a “clean core” on which they can build extensions using the cloud-based Business Technology Platform (BTP).

In a sense, users are damned if they do and damned if they don’t. Organizations that take too many of their ECC customizations to S/4HANA will struggle to keep pace with mandatory software upgrades and won’t have sufficient agility to access SAP innovation, limiting benefits. But users going for the “clean core” approach face re-engineering processes that might have been habituated among thousands of end users for a decade or more, which can take as much work as the technical migration, adding to costs and timelines. Either way, it’s difficult to get the justification to add up.

Kingfisher – which operates 2,000 European retail stores including UK brands Screwfix and B&Q – has rejected SAP’s migration plan. The company told a Gartner conference last year that it had moved its ECC system to the cloud, with third-party support from Rimini Street. It is building automation, AI, and data analytics around the ERP system through partnerships with Google and Databricks.

Gartner has predicted that by 2030, more than 10,000 SAP customers will continue to support major parts of their business with solutions based on SAP ECC, with the larger, more complex organizations over-represented in this group.

Speaking to The Register, Jens Hungershausen, chair of German-speaking user group DSAG, said: “The main problem is a business case of moving to S/4HANA. There are a lot of customers who just waited and hoped that there would be some kind of change in the maintenance strategy from SAP.”

A survey by DSAG, which represents users in German, Austria, and Switzerland, found that of ECC users, about half would continue investing in the legacy system beyond the support 2027 deadline.

“The point here is that a lot of members actually have a plan,” Hungershausen said.

ECC users will migrate in the end

Some, he suspects, will take advantage of the option to get ECC support until the end of 2033, signing up to the deal announced in January last year.

Hungershausen says most of the ECC users who are yet to start their migration to S/4HANA would do so with a so-called brownfield migration, which preserves existing processes, data, and custom code.

“It won’t be a real transformation.”

However, some organizations relying on ECC were waiting to see if SAP would extend the maintenance again to allow time to transition to the new software.

“Clearly, there are no other options available to the customers. SAP made a maintenance commitment to support S/4HANA until 2040. They extended ECC maintenance until 2027, so that’s almost 12 years of time to move to adopt a new version of the software. I think that’s good,” Hungershausen said. The reason migrations are off-track could be down to economic and geopolitical uncertainty.

However, Hungershausen says DSAG continues to take issue with SAP’s stance on “innovation,” which largely means bringing new features such as AI to its ERP platform.

In 2023, SAP boss Klein told investment analysts that future innovation would only be available in the cloud via RISE with SAP. The statement outraged users, who said a 2020 remark from product engineering lead Thomas Saueressig – that S/4HANA would be “the architecture and platform of the future for our customers” – included no caveats about the cloud.

“We keep calling out SAP for that, because I strongly believe that even if you look in the direction of AI adoption, it would be beneficial to at least make also the innovations available to S/4 and, explicitly, S/4 customers on premises,” Hungershausen said.

SAP shifts focus from migration to ‘innovation’

With SAP so dramatically missing targets for ERP migration, its attitude to customers may be changing.

Alisdair Bach, head of SAP practice at consultancy Dragon ERP, told The Register that SAP is more focused on upselling products to meet demand for innovation, particularly with AI, rather than simply pushing its ERP modernization agenda.

“Modernization has come to an end: the world has moved on. The conversation around S/4 is quite an old conversation now,” he said.

Customers with ECC investments could move to S/4 via a brownfield migration, avoiding transformation. For those staying with ECC, SAP offers a dedicated SAP ERP Private Edition subscription for ERP ECC systems, currently available until the end of 2030. The SAP ERP Private Edition Transition Option, introduced last year, is available until 2033.

By that time, the migration may be easier for customers to consume, given the application of AI in migration planning and execution, Bach says. In the meantime, SAP is more focused on generating revenue in other ways. “There is a broader focus on upselling the wider product portfolio from SAP. Getting ECC customers into the cloud, it can start upselling AI licensing, Business Data Cloud: upsell, upsell, upsell, in terms of bite-sized chunks of the generic innovation.”

Bach argues that the only way SAP can fulfill its promise to investors to start driving more revenue from agentic AI is to sell to its legacy install base that has moved to the cloud. As such, he is predicting that Joule, SAP’s agentic AI platform, will come to ECC in the cloud later this year.

Another example is SAP Agent Builder. Although it is part of Joule Studio, it is not exclusive to RISE, and is available to on-prem customers under SAP Build Developer licenses on BTP.

RISE with SAP was the vendor’s multibillion-euro response to its investors’ lack of faith. If it raises enough revenue from so-called innovation products, then they will be happy and stay silent about SAP falling behind its ERP modernization plan. If not, the ball will be in SAP’s court once again.

SAP declined to comment. ®

A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify, and Lookout.

According to GTIG, multiple commercial surveillance vendors and suspected state-sponsored actors have utilized the full-chain exploit kit, codenamed DarkSword, in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine. 

The discovery of DarkSword makes it the second iOS exploit kit, after Coruna, to be discovered within the span of a month. The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.

It’s worth noting that UNC6353 has also been linked to the use of the Coruna in attacks aimed at Ukrainians by injecting the JavaScript framework into compromised websites.

“DarkSword aims to extract an extensive set of personal information, including credentials from the device and specifically targets a plethora of crypto wallet apps, hinting at a financially motivated threat actor,” Lookout said. “Notably, DarkSword appears to take a ‘hit-and-run’ approach by collecting and exfiltrating the targeted data from the device within seconds or at most minutes, followed by cleanup.”

• CVE-2025-31277 – Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6)
• CVE-2026-20700 – User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3)
• CVE-2025-43529 – Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2)
• CVE-2025-14174 – Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2)
• CVE-2025-43510 – Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
• CVE-2025-43520 – Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)

Lookout said it discovered DarkSword after an analysis of malicious infrastructure associated with UNC6353, identifying that one of the compromised domains hosted a malicious iFrame element that’s responsible for loading a JavaScript to fingerprint devices visiting the site and determine whether the target needs to be routed to the iOS exploit chain. The exact method by which the websites are infected is currently not known.

What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.

“DarkSword is a complete exploit chain and infostealer written in JavaScript,” Lookout explained. “It leverages multiple vulnerabilities to establish privileged code execution to access sensitive information and exfiltrate it off the device.”

As is the case with Coruna, the attack chain begins when a user visits via Safari a web page that embeds the iFrame containing JavaScript. Once launched, DarkSword is capable of breaking the confines of the WebContent sandbox (aka Safari’s renderer process) and leveraging WebGPU to inject into mediaplaybackd, a system daemon introduced by Apple to handle media playback functions.

This, in turn, enables the dataminer malware – referred to as GHOSTBLADE – to gain access to privileged processes and restricted parts of the file system. Following a successful privilege escalation, an orchestrator module is used to load additional components that are designed to harvest sensitive data, as well as inject an exfiltration payload into Springboard to siphon the staged information to an external server over HTTP(S).

This includes emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, cryptocurrency wallet and exchange data, usernames, passwords, photos, call history, Wi-Fi WiFi configuration and passwords, location history, calendar, cellular and SIM information, installed app list, data from Apple apps like Notes and Health, and message histories from apps like Telegram and WhatsApp.

iVerify, in its own analysis of DarkSword, said the exploit chain weaponizes JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then escape the sandbox via the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.

In the final stage, a kernel privilege escalation flaw (CVE-2025-43520) is leveraged to obtain arbitrary read/write and arbitrary function call capabilities inside mediaplaybackd, and ultimately execute the injected JavaScript code.

“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high-level programming language,” Lookout said. “This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development, and extensibility.”

Further analysis of the JavaScript files used in DarkSword has been found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from a previous version targeting older versions of the operating system.

Another aspect that sets DarkSword apart from other spyware is that it’s not meant for persistent surveillance and data gathering. In other words, once the data exfiltration is completed, the malware takes steps to clean the staged files and exits. The end goal, Lookout noted, is to minimize the dwell time and exfiltrate the data it identifies as quickly as possible.

Very little is known about UNC6353, other than its use of both Coruna and DarkSword via watering hole attacks on compromised Ukrainian websites. This indicates that the hacking group is likely well-funded to secure high-quality iOS exploit chains that are likely developed for commercial surveillance. It’s assessed that UNC6353 is a technically less sophisticated threat actor that operates with motives aligned with Russian intelligence requirements.

“Given that both Coruna and DarkSword have capabilities for cryptocurrency theft and intelligence gathering, we must consider the possibility that UNC6353 is a Russia-backed privateer group or criminal proxy threat actor,” Lookout said.

“The complete lack of obfuscation in DarkSword code, the lack of obfuscation in the HTML for the iframes, and the fact that the DarkSword File Receiver is so simply designed and obviously named lead us to believe that UNC6353 may not have access to strong engineering resources or, alternatively, is not concerned with taking appropriate OPSEC measures.”

The use of DarkSword has also been linked to two other threat actors –

• UNC6748, which targeted Saudi Arabian users in November 2025 using a Snapchat-themed website, snapshare[.]chat, that leveraged the exploit chain to deliver GHOSTKNIFE, a JavaScript backdoor capable of information theft.
• Activity associated with Turkish commercial surveillance vendor PARS Defense that used DarkSword in November 2025 to deliver GHOSTSABER, a JavaScript backdoor that communicates with an external server to facilitate device and account enumeration, file listing, data exfiltration, and the execution of arbitrary JavaScript code.

Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.

“For the second time in a month, threat actors have employed waterhole attacks to target iPhone users,” iVerify said. “Notably, neither of these attacks was individually targeted. The combined attacks now likely affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2.”

“In both instances, the tools were discovered due to significant operational security (OPSEC) failures and carelessness in the deployment of the iOS offensive capabilities. These recent events prompt several key questions: How big and well-equipped is the market for iOS 0-day and n-day exploits for iOS devices? How accessible are such powerful capabilities to financially motivated actors?”