Layer Seven Security

Digital Operational Resilience Act (DORA) Compliance for SAP Solutions

Layer Seven on January 28, 2026

The Digital Operational Resilience Act (DORA) is a regulation that mandates standards for cybersecurity and operational resilience in the financial sector within the European Union (EU). It provides standards for governing risks in Information and Communications Technology (ICT) to ensure banks, insurers, investment firms, and other financial institutions are able to deliver critical services by effectively resisting, responding and recovering from ICT disruptions. The act took effect on January 17, 2025, with oversight from the European Supervisory Authorities EBA, ESMA, and EIOPA, to define and enforce technical standards for the regulation.

The Five Pillars of DORA

DORA’s core objective is to support the integrity and continuity of financial services against ICT risks including cyberattacks. The regulation includes the following five pillars:

  1. Risk Management: a comprehensive governance and control framework covering ICT asset inventory, protection, detection, response, recovery, backup, logging and monitoring, change management, and resilience-by-design.
  2. Incident Management and Reporting: consistent handling of ICT incidents and mandatory reporting of major incidents.
  3. Operational Resilience Testing: vulnerability assessments and penetration testing focused on critical functions.
  4. Third-Party Risk Management: oversight for ICT vendors and providers including outsourced services.
  5. Information Sharing: mechanisms to share cyber threat information and intelligence to strengthen sector-wide resilience.

The Impact of DORA for SAP Solutions

For many financial services organizations, SAP solutions support critical functions such as procurement and supplier operations, human resource management, and finance and controlling. Therefore, they are often part of the ICT fabric that must be governed, monitored, tested, and recoverable for DORA compliance. Under DORA, SAP solutions require tight integration with:

  • ICT Risk Governance, including the definition of key risk indicators and controls testing.
  • SOC Operations, including detection, triage, and handling of incidents.
  • Service Management, including approvals, evidence, and testing for changes.
  • Supplier Management, including managing hosting providers, system integrators, and external integrations such as APIs.  

DORA effectively obliges organizations to manage SAP solutions as regulated platforms, requiring baseline controls, continuous monitoring, regular patching, frequent testing, and periodic reporting.

DORA Compliance with the Cybersecurity Extension for SAP

The Cybersecurity Extension for SAP (CES) enables organizations to comply with DORA by identifying and managing ICT risks in SAP solutions, detecting and responding to security incidents, securing third party integrations, and verifying and reporting compliance with SAP security benchmarks. The solution supports compliance with each of the five pillars in DORA for SAP systems.

Pillar 1 – Risk Management

  • Continuous SAP security monitoring including the detection of security-related changes in SAP solutions.
  • SAP-specific vulnerability management including the detection of 5000+ security weaknesses in SAP.
  • Custom code security including the detection of 300+ vulnerabilities in custom ABAP programs and SAP UI5 / Fiori applications.
  • SAP patch management including the detection of relevant security notes and support packages.
  • Alignment to SAP-specific baselines and cloud hardening benchmarks including the SAP Security Baseline, security guidance for S/4HANA, and SAP RISE/ECS mandatory security requirements.

Pillar 2 – Incident Management and Reporting

  • Threat detection:  Detection and alerting for 1500+ Indicators of Compromise (IOC) in SAP solutions including application, database and host-level logs.
  • Risk-based prioritization of SAP alerts based on operational impact for rapid classification.
  • Standard operating procedures and workflows for investigating, tracking and reporting on incident investigations.

Pillar 3 – Operational Resilience Testing

  • Compliance monitoring and baseline checks to validate SAP hardening.
  • Threat detection exercises for SAP attack paths including privilege escalation, interface abuse, suspicious admin changes, and calls to critical SAP function modules, reports, services, and transactions.
  • Daily vulnerability scanning to support risk identification and mitigation.

Pillar 4 – Third-Party Risk Management

  • Visibility into external interfaces in SAP solutions including cloud connections.
  • Evidence for SAP RISE / managed-service security requirements.
  • Accountability for system integrators against SAP security standards.

Pillar 5 – Information Sharing

  • SAP-specific security intelligence including threat detection patterns, CVEs, and zero-day vulnerabilities.
  • Standardized reporting for information sharing with cross-functional teams and sector forums.

The Cybersecurity Extension for SAP supports digital resilience and DORA compliance by ensuring security for SAP solutions is measurable, monitored, and audit-ready. It provides continuous evidence evidence of SAP hardening, while strengthening operational resilience through incident detection, streamlined response, and reduced exposure to cyber risks.

SAP Security Notes, January 2026

Layer Seven on January 14, 2026

Hot news note 3687749 patches a critical SQL injection vulnerability that can be exploited to read, modify, and delete data used in the Financials component of SAP S/4HANA. The solution in the note prevents the injection of user-controlled input in SQL queries using input validation to remove the vulnerability. A workaround is also detailed in the note. Access to vulnerable function modules in function group FGL_BCF should be restricted using authorization object S_RFC. According to the note, the function modules are intended to be invoked only internally by the system as part of parallel processing and must not be callable via external RFC interfaces.

Hot news note 3694242 deals with another critical vulnerability in SAP S/4HANA that can be exploited to perform arbitrary ABAP code and OS commands and bypass authorization checks. The vulnerability effectively functions as a backdoor, leading to the risk of full system compromise. The correction in the note removes the vulnerable code. Although a workaround is not included in the note, it is possible to also use authorization object S_RFC to temporarily address the vulnerability by restricting access to the affected function group.

Note 3697979 addresses a similar critical ABAP code/OS command injection vulnerability in SAP Landscape Transformation.

Note 3668679 patches a remote code execution vulnerability in SAP Wily Introscope Enterprise Manager. The vulnerability can be exploited to execute commands in workstations using malicious JNLP (Java Network Launch Protocol) files accessible via URLs. Wiley Enterprise Manager should be upgraded to version 10.8 SP01 Patch 2 ([PRIVATE_IP].220) to remove the vulnerability.

Note 3691059 fixes a privilege escalation vulnerability in SAP HANA that can be exploited by attackers to gain administrative access to the database. The correction in the note prevents unauthorized user switching to remove the root cause of the vulnerability.

Notes 3675151 and 3688703 deal with high-risk OS command and missing authorization check vulnerabilities in SAP NetWeaver AS ABAP.

Note 3565506 addresses multiple vulnerabilities in the SAP Fiori Application Intercompany Balance Reconciliation. The impacted components include S4CORE in SAP S/4HANA.

Key Security Findings from the RISE with SAP 2025 Benchmark Report

Layer Seven on December 17, 2025

SAPinsider’s RISE with SAP 2025 benchmark report, co-sponsored by Layer Seven Security, was released in December. Based on a survey of 122 SAPinsider community members conducted between August and November 2025, the study focuses on customer adoption of SAP Cloud ERP Private (formerly referenced in the survey as RISE with SAP) and the factors shaping migration decisions. From a security standpoint, the most material finding is broad customer non-compliance with the shared model of responsibility, and more specifically, failure to implement and sustain SAP’s mandatory security hardening requirements documented in relevant SAP notes for SAP systems operating in SAP’s cloud delivery model.

Broad Non-Compliance with Customer Security Responsibilities

The report identifies a significant gap between SAP’s cloud security expectations and customer execution. While SAP delivers and operates key elements of the cloud platform, customers remain accountable for critical security outcomes, including secure configuration, access controls, and compliance with SAP-defined hardening standards.

Two key findings stand out:

  • Less than half (45%) of respondents are aware of and actively following the shared responsibility model for SAP Cloud ERP Private security.
  • Approximately one-third are aware of the model but do not follow it rigorously, indicating that a majority of organizations either do not fully understand or are not consistently executing their responsibilities.

This is not a minor administrative gap. The report explicitly warns that failure to follow both the shared responsibility model and SAP’s mandatory hardening requirements leaves systems open to attack. For leadership teams, the implication is straightforward: cloud migration does not transfer accountability for SAP security outcomes to SAP. If required customer-side controls are not implemented and maintained, the organization bears the risk.

Hardening Requirements Are Frequently Missed

The report goes beyond general security awareness and points to a more specific and operational problem: customers running SAP Cloud ERP Private in SAP’s cloud delivery environment must comply with SAP’s mandatory security parameters and hardening requirements, as documented in relevant SAP notes for ABAP, HANA and Java systems and related components. This includes notes 3250501, 3480723 and 3381209.

The report underscores that non-compliance with these requirements materially increases exposure. In business terms, required hardening defines baseline expectations for how SAP systems must be configured to reduce preventable attack paths. Failure to apply those settings—consistently and over time—creates vulnerabilities that can persist in SAP solutions.

Compliance Is a Moving Target

A key challenge highlighted in the report is that SAP security compliance is not static. SAP regularly updates mandatory parameters and hardening guidance in response to new threats, vulnerabilities, platform changes, and evolving best practices. As a result, a system that was compliant at go-live may drift out of compliance over time even without major architectural change.

This creates a practical operational risk: compliance must be managed as an ongoing discipline, not a one-time implementation deliverable. Organizations need repeatable processes to track new and updated SAP security guidance, assess its applicability, validate their current posture, and remediate gaps across their SAP landscapes.

Business Risk of Non-Compliance: Support, Liability, and Exposure

The consequences of non-compliance extend beyond technical risk and into contractual and legal exposure:

  • Support risk: When hardening requirements and mandatory parameters are not implemented, incident response becomes more complicated. In high-severity security situations, customers may face delays and friction in diagnosis and remediation, and their position with SAP support can be weakened if the environment is not aligned with required security standards.
  • Legal and regulatory risk: In the event of a data breach, organizations are often required to demonstrate that they followed vendor-prescribed security requirements and reasonable security practices. If an organization cannot demonstrate compliance with SAP’s documented security hardening guidance, it can weaken the company’s defensibility, increase regulatory scrutiny, and raise the likelihood of fines, penalties, litigation, and reputational harm. Ultimately, under a shared responsibility model, the customer retains accountability—and therefore liability—for customer-controlled security controls.

Additional Survey Indicators Relevant to Security Posture

Although the report is broader than security, several survey results reinforce the importance of establishing a robust cloud security operating model:

  • 80% of respondents identify comprehensive monitoring to ensure system health and security as a key requirement for their ERP transformation and innovation initiatives.
  • 79% indicate the need for best-practice compliance checks that avoid outages, underscoring that organizations see compliance and stability as tightly linked.

These findings align with the report’s security message: maintaining control effectiveness requires continuous monitoring and governance, not periodic reviews.

How the Cybersecurity Extension for SAP from Layer Seven Security Addresses These Challenges

The report’s core security finding—customer non-compliance with evolving security requirements—directly aligns with the capabilities of Layer Seven Security’s Cybersecurity Extension for SAP. The solution is designed to help organizations operationalize their security responsibilities in SAP RISE / Cloud ERP environments where configuration, compliance, and threat conditions change over time.

At a business level, it supports three outcomes:

  1. Continuous monitoring against current hardening requirements: Automated checks against SAP security baselines help identify non-compliance as SAP standards evolve, rather than relying on periodic manual reviews.
  2. Reduced risk from compliance drift: Ongoing visibility into configuration posture helps prevent gradual degradation of security controls due to system change, integration expansion, or operational turnover.
  3. Improved audit and support readiness: Continuous evidence of compliance strengthens governance, improves audit defensibility, and supports more effective engagement during incidents and escalations.

This approach acknowledges the operational reality emphasized by the report: compliance is a moving target, and organizations need a sustainable mechanism to remain aligned to SAP’s required security standards.

Key Takeaways

The most significant security issue identified in the SAPinsider RISE with SAP 2025 report is customer non-compliance. A majority of organizations are not fully executing their responsibilities under the shared security model, and the most consequential example is failure to comply with SAP’s mandatory hardening requirements documented in SAP notes. Because these requirements evolve over time, compliance must be treated as an ongoing operational discipline—supported by clear accountability, continuous monitoring, and repeatable remediation processes—to reduce operational, legal, and reputational risk in SAP Cloud ERP Private environments.

The full benchmark findings will be presented by Robert Holland, Vice President and Research Director at SAPinsider, on Tuesday, January 13, 2026. You can register for the webinar at SAPinsider.

SAP Security Notes, December 2025

Layer Seven on December 12, 2025

Hot news note 3685270 patches a code injection vulnerability in SAP Solution Manager (CVE-2025-42880). The vulnerability impacts all support pack levels for Solution Manager 7.2 (SolMan). The patch introduces input validation to secure the relevant vulnerable remote-enabled function module. Customers should consider migrating application monitoring and lifecycle management functions to SAP Cloud ALM and decommission Solution Manager (SolMan) installations. The end of maintenance for SolMan is scheduled for December 31, 2027. SolMan is no longer required for the Cybersecurity Extension for SAP.

Hot news note 3685286 addresses a critical deserialization vulnerability in SAP jConnect – SDK for ASE (CVE-2025-42928). The vulnerability can be exploited by attackers execute malicious code. The solution disables the serialization and deserialization of vulnerable input values in SAP jConnect for JDBC Driver. The note includes patches for SAP ASE versions 16.0 and 16.1.

Hot news note 3683579 delivers fixes for multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud (CVE-2025-55754 and CVE-2025-55752).

Note 3684682 addresses a high risk information disclosure vulnerability in the SAP Web Dispatcher and Internet Communication Manager (ICM) (CVE-2025-42878). The vulnerability can lead to the exposure of internal testing interfaces that are not intended for production. The parameter icm/HTTP/icm_test_<x> should be removed from system profiles to mitigate the vulnerability. This includes DEFAULT and instance profiles.

Note 3677544 patches a memory corruption vulnerability in SAP Web Dispatcher, ICM and SAP Content Server (CVE-2025-42877).

Note 3640185 fixes a Denial of service (DOS) vulnerability in the remote service for Xcelsius in SAP NetWeaver (CVE-2025-42874). The service allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control.

Note 3672151 patches a missing authorization check impacting the General Ledger in the Financial module of SAP S/4HANA (CVE-2025-42876). The vulnerability could enable an attacker with access to a single company code to read sensitive data and post or modify documents across all company codes.

What’s New in the Cybersecurity Extension for SAP Version 2.0

Layer Seven on November 26, 2025

Building upon the successful release of the initial version of the NetWeaver Edition of the Cybersecurity Extension for SAP earlier this year, Layer Seven Security is pleased to announce the upcoming availability of version 2.0. The new release includes important enhancements including support for SAP NetWeaver AS Java, anomaly detection to identify unusual or suspicious activity, the addition of more than 400 new threat detection patterns, and updates for SAP compliance frameworks including the SAP Security Baseline, S/4HANA Security Guide, and mandatory security requirements for SAP RISE / Cloud ERP. The enhancements significantly improve protection for business-critical SAP solutions against advanced cyber threats.

SAP NetWeaver AS Java

The new release of the Cybersecurity Extension for SAP provides coverage for SAP NetWeaver AS Java solutions such as the SAP Enterprise Portal, Process Orchestration (PO) / Process Integration (PI), SAP Solution Manager, and SAP Identity Management (SAP IdM). Version 2.0 supports vulnerability management for AS Java systems including components such as the Gateway Server, Message Server, and Internet Communication Manager (ICM). It also supports the automated discovery of relevant SAP Security Notes for AS Java systems. This includes SAP Java notes for Known Exploited Vulnerabilities (KEV) reported by the U.S Cybersecurity and Infrastructure Security Agency (CISA). Finally, the new release supports monitoring for AS Java logs to detect and alert for security incidents such as user and role changes, system changes, calls for vulnerable servlets including the invoker servlet, and patterns to detect the potential exploitation of AS Java vulnerabilities such as RECON, Log4J and the recent vulnerability detailed in CVE-2025-31324, impacting the SAP NetWeaver Visual Composer Metadata Uploader.

Anomaly Detection

Anomaly detection is a powerful method for detecting potential zero-day attacks without known signatures, brute force attacks, and advanced persistent threats that are difficult to detect using conventional pattern matching techniques. It can also detect insider threats such as privilege abuse or escalation, fraud, and suspicious user actions that deviate from normalized patterns of behavior. Although the Solution Manager Edition of the Cybersecurity Extension for SAP supported anomaly detection for SAP solutions, this feature was not included in the initial release of the NetWeaver Edition. Version 2.0 includes full enablement of anomaly detection in the NetWeaver Edition.

Threat Detection

Version 2.0 of the Cybersecurity Extension for SAP includes a significant increase the volume of threat detection patterns for SAP solutions. It delivers more than 400 new patterns to detect Indicators of Compromise (IOC) in various SAP logs. This includes calls to vulnerable function modules and reports, suspicious file downloads, access to critical tables, directory traversal exploits, and dangerous transaction starts. The addition strengthens the position of the Cybersecurity Extension for SAP as the leading threat detection solution for SAP solutions in terms of coverage. The most recent version of the solution includes more than 1500 threat detection patterns. In comparison, the current version of SAP Enterprise Threat Detection (ETD) includes approximately 200 patterns.

SAP Security Compliance

The Cybersecurity Extension for SAP automates compliance audits for SAP solutions. The solution discovers compliance gaps against multiple security frameworks including GDPR, NIST, SOX and PCI-DSS. It also monitors compliance with SAP security standards such as the SAP Security Baseline, the Security Guide for SAP S/4HANA, and mandatory security requirements for SAP RISE / Cloud ERP solutions defined by SAP Enterprise Cloud Services (ECS). Version 2.0 aligns compliance checks with the latest SAP benchmarks. This includes version 2.6 of the SAP Security Baseline and the Security Guide for SAP S/4HANA 2025. In addition to updating checks for ABAP solutions defined in the latest version of note 3250501, the new version extends coverage for SAP RISE / Cloud ERP checks to include SAP HANA and SAP AS Java solutions. The requirements for these areas are defined in SAP notes 3480723 and 3381209.

What to Expect in Version 3.0

Key updates for the next release of the NetWeaver Edition of the Cybersecurity Extension for SAP include:

  • Support for SAP BTP and SAP Cloud Connector
  • Support for SAProuter and Web Dispatcher
  • Support for RHEL & SUSE OS monitoring including vulnerability scanning and log monitoring
  • Email notifications for security alerts
  • Report automation including scheduling and distribution

The updates will align the capabilities of the NetWeaver Edition with the Solution Manager Edition, enabling existing customers to transition smoothly to the latest platform without any loss in coverage or functionality.

Looking Ahead to 2026

Next year’s roadmap for the Cybersecurity for SAP includes planned enhancements that will improve the user experience and reinforce it’s standing as the leading cybersecurity solution for SAP systems. This includes:

  • Support for SAP SuccessFactors
  • Support for SAP S/4HANA Public Edition
  • Data Loss Protection (DLP) including threat detection patterns and alerts for unauthorized access to sensitive data in SAP solutions
  • Extended checks for critical access and segregation of duties in SAP S/4HANA including a dedicated application to support cross-application user access and role analysis

We extend our best wishes for a Happy Thanksgiving to our customers in the United States and look forward to supporting you in the months ahead.

SAP Security Notes, November 2025

Layer Seven on November 11, 2025

Hot news note 3666261 patches a critical code execution vulnerability in SAP SQL Anywhere. The correction removes the SQL Anywhere Monitor. The note recommends switching to the SQL Anywhere Cockpit for database administration.

Hot news note 3668705 addresses a code injection vulnerability in SAP Solution Manager arising from missing input validation for a vulnerable remote-enabled function module. The correction removes the vulnerability by sanitizing input entry, including rejecting some non-alphanumeric characters.

Note 3660659 was updated for a critical insecure deserialization vulnerability in SAP NetWeaver AS Java. Corrections now include the prerequisite note 3670067 to increase the character limit in configuration values for VM properties. Additional hardening suggestions for optional classes and packages were also added to the note.

Note 3633049 patches a high-risk memory corruption vulnerability in the CommonCryptoLib –  SAP Common Cryptographic Library (CCL). CCL supports encryption, validation of digital certificates, and other functions in SAP solutions including NetWeaver AS ABAP and SAP HANA. The vulnerability can be exploited by attackers to trigger a denial of service. The correction improves boundary checks to prevent buffer overflows. CommonCryptoLib installations should be upgraded to version 8.5.60 or higher. CCL is included in some SAP components. The impacted components should also be upgraded to address the vulnerability. Note 3628110 includes details of the relevant components and recommended versions.

Penetration Testing for SAP RISE / SAP Cloud ERP

Layer Seven on October 29, 2025

As enterprises increasingly migrate to S/4HANA Cloud platforms as part of SAP RISE/ Cloud ERP transformations, the need to secure these mission-critical environments has never been greater. SAP cloud solutions manage essential financial, operational, and human resource data, forming the digital backbone of organizations. While SAP provides a robust infrastructure with built-in security controls, customers are responsible for securing their own configurations, integrations, and extensions as part of a shared model of responsibility for security. Penetration testing is therefore a critical step in validating the effectiveness of these security measures.

Cloud ERP systems expand the traditional attack surface by integrating with third-party applications, partners and APIs. Even a single insecure interface or misconfigured role can allow unauthorized access to sensitive data or processes. Penetration testing provides a proactive mechanism to identify such weaknesses before they are exploited. It helps to verify cloud configurations meet security best practices, network segmentation is properly enforced, and custom developments or business add-ons do not introduce vulnerabilities.

Regular penetration testing validates that monitoring and alerting tools are capable of detecting and containing cyber threats. For organizations subject to compliance frameworks such as SOX, GDPR, or ISO 27001, penetration testing also provides essential evidence of due diligence.

A typical penetration test for SAP RISE / Cloud ERP follows a structured methodology:

Planning and Scoping
The testing team works with business and IT stakeholders to define the scope including systems, integrations, network zones, and user roles. This stage also includes obtaining formal approval from SAP ECS (Enterprise Cloud Services) to perform testing in RISE environments.

Coordination with SAP ECS
Although penetration tests are performed by external security service providers, they must be closely coordinated with SAP ECS. Because SAP RISE / Cloud ERP environments are managed by SAP ECS, customers cannot conduct testing independently. Instead, a Penetration Test Request must be submitted through the SAP support portal under component BC-OP-RC-ECS, typically at least six weeks in advance. The request must specify:

  • The purpose and objectives of the test
  • The systems or tenants involved
  • The testing provider (internal or external)
  • Expected timeline and test methods

SAP ECS reviews the request to ensure that testing will not affect shared infrastructure or violate service-level agreements. Once approved, SAP coordinates scheduling, network access, and monitoring to support the testing.

Rules of Engagement for SAP RISE
SAP enforces specific Rules of Engagement (RoE) for all penetration tests in RISE / Cloud ERP environments. Key requirements include:

  • Testing for only customer managed layers. This includes application configuration, extensions, and custom code. Direct testing of the SAP-managed infrastructure or platform components is not permitted.
  • Testing must be non-disruptive and conducted within agreed maintenance windows. Denial-of-service (DoS) or destructive payloads are prohibited.
  • All vulnerabilities discovered must be reported confidentially to SAP ECS, following SAP’s responsible disclosure process.
  • External testers must sign SAP’s Non-Disclosure and Penetration Test Agreement before gaining access.

Assessment and Exploitation
Authorized testers use both automated tools and manual techniques to identify vulnerabilities in application configurations, user privileges, and exposed interfaces. This may include attempts to escalate privileges, bypass access controls, or extract sensitive data within approved boundaries.

Reporting and Remediation
The final report details vulnerabilities, their risk levels, and recommended mitigation steps. SAP ECS may review findings that affect managed components, while customer teams focus on remediating application-layer issues.

Penetration testing is an indispensable component for ensuring the resilience of SAP systems and components in RISE / Cloud ERP environments. By simulating attack scenarios, it provides tangible assurance that security controls are effective and vulnerabilities are promptly addressed. When performed in coordination with SAP ECS under formal rules of engagement, penetration testing not only strengthens the customer’s security posture but also reinforces the shared-responsibility model that underscores SAP’s cloud ecosystem. Regular, well-governed testing ensures that organizations maintain the confidentiality, integrity, and availability of their most critical SAP resources in the cloud.

Layer Seven Security is an approved SAP Services Partner. We offer a range of services and solutions to help secure SAP solutions in RISE/ Cloud ERP. This includes Penetration Testing for SAP and automated audits to identify compliance gaps against mandatory security and hardening requirements for SAP RISE/ Cloud ERP solutions defined by SAP ECS.

SAP Security Notes, October 2025

Layer Seven on October 14, 2025

Hot news note 3634501 patches a critical insecure deserialization vulnerability in SAP NetWeaver AS Java. The vulnerability can be exploited by attackers to execute arbitrary OS commands. The patch updates the affected P4-Lib component to enforce secure deserialization handling and restrict the acceptance of untrusted Java objects via the RMI-P4 module. As a workaround, network access to the P4 and P4S ports in AS Java should be restricted.

Hot news note 3660659 addresses another insecure deserialization vulnerability in AS Java. The correction in the note blocks vulnerable JDK and third-party classes to prevent exploitation of the vulnerability. A workaround is included in the note for older versions of AS Java that are no longer maintained by SAP. The workaround involves applying the parameter jdk.serialFilter to restrict which classes can be deserialized.

Note 3630595 fixes a high-risk directory traversal vulnerability in SAP Print Service (SAPSprint). The correction in the note improves validation for path information provided by users to prevent attackers traversing parent directories and compromising system files.

Note 3647332 patches an unrestricted file upload vulnerability in SAP Supplier Relationship Management. The note enhances checks for MIME types and file extensions to prevent the uploading of malicious files such as malware.

Other important security fixes include note 3664466 for a denial of service vulnerability in SAP Commerce Cloud and note 3658838 for a code execution vulnerability arising from insecure versions of Apache CXF libraries in SAP Data Hub Integration Suite that can be exploited to supply malicious RMI/LDAP endpoints.

Workarounds for SAP Security Notes

Layer Seven on September 24, 2025

Corrections for Common Vulnerabilities and Exposures (CVEs) impacting SAP solutions are delivered via patch day notes and support packages released through the SAP Support Portal. In most cases, the corrections include automated fixes that are applied as updates or upgrades for impacted software components. Applying the automated fixes is the preferred method for addressing SAP CVEs. However, in some cases, it may not be possible to apply an automated fix. The corrections may have adverse side effects such as disabling or removing required services, programs or features. There may also be challenges related to applying prerequisite notes required to implement corrections. Corrections may require extensive testing or downtime, and it may not be possible to allocate the resources or schedule maintenance windows. Lastly, customers may not have access to corrections if, for example, their SAP solutions are supported and maintained by third parties instead of SAP.

For these reasons, it is often necessary to identify and apply workarounds for SAP CVEs. While SAP provides workarounds for some CVEs, primarily for critical hot news security notes, the majority of SAP CVEs do not include workarounds. However, it is often possible to identify potential workarounds by analysing the details of each note. Often details of impacted programs, reports, function modules, services, or other objects are reported in the Symptom and Solution sections of notes. Object names may also be disclosed in supporting FAQs for security notes, if available.

The section for Common Vulnerability Scoring System (CVSS) may also include indicators for potential workarounds. SAP provides a CVSS score for each note based on the values for each key in the framework. The values are included in the CVSS section. The vector string that includes values for each key are also disclosed in CVE databases. Values such as Local (L) for Attacker Vector (AV) may indicate that local access is required for vulnerability exploitation. In this case, network and host firewalls may be sufficient to block external access to SAP ports and services. The value High (H) for Privileges Required (PR) may suggest that administrative privileges are required and therefore restricting administrative access may mitigate the vulnerability.

Network filtering using firewalls and managing roles and authorizations are examples of workarounds that can be applied to address SAP CVEs. Other actions may include disabling vulnerable objects, and modifying system settings such as profile parameters to harden SAP systems and eliminate or lessen the exposure to vulnerabilities.

Monitoring and responding to indicators of compromise may also mitigate the risk of some CVEs. Based on the analysis of SAP notes, it may be possible to build and apply patterns for SAP logs using SIEM solutions to detect and alert for the potential exploitation of CVEs.

The Cybersecurity Extension for SAP automates the discovery of required SAP security notes based on installed software components and versions in each relevant system. It also includes workarounds for notes where customers are not able to implement automated corrections from SAP.  The solution also includes patterns for detecting and alerting for the exploitation of SAP CVEs. Alerts can be forwarded to SIEM solutions for centralized security monitoring and incident response.

SAP Security Notes, September 2025

Layer Seven on September 11, 2025

Hot news note 3634501 patches a critical insecure deserialization vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java. The vulnerability can be exploited to perform arbitrary OS commands that could lead to the full compromise of AS Java systems. As a result, the vulnerability has a CVSS rating of 10/10. Since the vulnerability impacts the proprietary SAP P4 protocol, the patch provided in note 3634501 enforces secure deserialization and restricts the acceptance of untrusted Java objects via the RMI-P4 module. Workarounds are also provided in the note to bind the P4 listening port to specific authorized hosts. This is performed using the HOST field for profile parameter icm/server_port_<xx>. Restricting client connections to the ICM are also recommend using an Access Control List (ACL) also specified using the same parameter. The path for the ACL file should be defined using the ACLFILE option for icm/server_port_<xx>. Entries in the ACL file should follow the following syntax:

<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]

The following deny entry is recommend as the last rule in the ACL.

deny   0.0.0.0/0           # deny the rest

Hot news note 3643865 removes an unrestricted file upload vulnerability in AS Java that could be exploited to execute malicious code in files. The vulnerability impacts all versions of AS Java. However, the note only provides a fix for specific support pack levels of version 7.50. Earlier versions are no longer maintained by SAP.  For earlier versions, Knowledge Based Article (KBA) 3646072 includes a workaround for the vulnerability that involves disabling the vulnerable Deploy Web Service component by adding a startup filter.

Hot News note 3627373 provides a solution for a missing authentication check in SAP NetWeaver installations using IBM i operating systems. Installations using other operating systems are not effected by the vulnerability. SAP System IDs (SIDs) are impacted if they are sharing the same logical partition (LPAR) with other SIDs. Therefore, a possible workaround is to partition SIDs in separate LPARs. This will prevent the sharing of server resources such as CPU, memory and storage across multiple virtualized environments.

Notes 3635475 and 3633002 patch high-priority input validation vulnerabilities in SAP S/4HANA and SAP Landscape Transformation. The vulnerabilities could be exploited to delete the contents of database tables that are not protected by authorization groups.

Other high priority notes include note 3581811 for a directory traversal vulnerability in SAP NetWeaver and 3642961 for a information disclosure vulnerability in SAP Business One.