Layer Seven, Author at Layer Seven Security

SAP Security Notes, July 2025

Layer Seven on July 8, 2025

There are multiple hot news notes released in July for insecure deserialization vulnerabilities in SAP NetWeaver AS Java solutions and components. The vulnerabilities arise from the processing of untrusted user-provided serialized data without adequate input validation. This can lead to malicious code execution and authentication bypass. Notes 3610892, 3621236, 3620498 and 3621771 correct deserialization vulnerabilities in the XML Data Archiving Service, Enterprise Portal Administration, Federated Portal Network, and the Log Viewer, respectively. Workarounds are provided where available, including instructions for disabling the LogViewer. Note that log files can be analyzed directly in the file system or using SAP Management Console (SAP MMC) after it is disabled.

Note 3578900 addresses an insecure deserialization vulnerability in the Live Auction Cockpit of SAP Supplier Relationship Management (SRM). The CVSS score for the vulnerability is rated 10.0. The note also addresses other lower-priority vulnerabilities in SRM including XML External Entity (XXE), Cross-site Scripting (XSS), Open Redirect, and Information Disclosure.

Note 3618955 patches a critical code injection vulnerability in SAP S/4HANA and SAP SCM that could enable attackers to take full control of the SAP solutions through the creation and execution of reports containing malicious code.

Note 3623440 introduces additional authorization checks using object S_RZL_ADM with activity 01 to remove a vulnerability that could lead to an escalation of privileges in SAP NetWeaver AS ABAP.

Note 3623255 applies authorization checks using object SCRMMW for a vulnerable function module that could be exploited to trigger a denial of service in SAP Business Warehouse (BW).

Other important notes include 3565279 which patches older versions of Apache Struts in SAP BusinessObjects Business Intelligence (BOBJ) that are vulnerable to an insecure file operations vulnerability, and 3610591 for a directory traversal vulnerability in SAP NetWeaver Visual Composer.

What’s New in the Cybersecurity Extension for SAP, Version 5.3

Layer Seven on June 25, 2025

The new release of the Cybersecurity Extension for S AP (CES) is in general availability and includes several important enhancements for SAP vulnerability management and threat detection.

Version 5.3 includes patterns for detecting indicators of compromise in the SAP Cloud Connector. The Connector is an agent that links SAP BTP applications with on-premise SAP systems. As a reverse proxy, it enables internal systems to connect securely with BTP services without exposing the systems to direct external access. The new release of CES includes alerts for security-related events in the Cloud Connector including configuration changes, changes to the Administrator account including passwords, changes to connected BTP subaccounts and backend systems, the activation of traces, settings for logging and auditing, role changes, certificates, LDAP, SNC, and other areas. application changes, remote logins, role changes, role grants to users, and cloud transports. The alerts can be integrated with SIEM solutions for centralized monitoring.

The new release also supports concurrent compliance analysis for multiple systems and includes updates for the SAP RISE, SAP Security Baseline and HIPAA frameworks. Mandatory security parameters and hardening requirements for SAP RISE customers were updated by SAP Enterprise Cloud Services (ECS) in June.

Version 5.3 includes the emergency updates that were released earlier for CVE-2025-31324. This includes patterns for the detection of attempted and successful exploitation of the zero-day vulnerability in SAP AS Java.

Extended checks have been introduced for the execution and logging of OS commands performed using the sapxpg program. sapxpg is a program controller that executes external programs and commands from SAP at the OS level.

Finally, version 5.3 includes checks for the discovery of out-of-maintenance software components in SAP solutions. In accordance with the general SAP maintenance strategy, SAP only delivers support package notes for support packages shipped within the last 24 months. This is referred to as the 24-month rule. The rule took effect on June 11 2019 and extended the previous coverage period for support packages from 18 months. There are some exceptions to the rule, including SAP HANA, BW/4HANA, and SAP Kernel. The impact of the rule is that software components patched up to SP levels where the support packages were released more than 24 months ago are not provided with SP fixes to remove low, medium and high severity vulnerabilities discovered internally by SAP. The vulnerabilities can only be addressed by performing an SP upgrade to a support package that is within the 24-month rule.

SAP Security Notes, June 2025

Layer Seven on June 10, 2025

Hot news note 3600840 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The vulnerability is due to the failure to check the RFC start authorization S_RFC for transactional (tRFC) and queued RFC (qRFC) calls during the playback of recorded RFCs. It impacts Kernel versions 789, 793, 914 and 915 for AS ABAP. Note 3600840 applies additional authorization checks for tRFC and qRFC calls to address the vulnerability. The note is supported by Knowledge Base Article (KBA) 3601919. According to the KBA, once the note and Kernel patches are applied, the event ID FU6 should be activated in the security audit log. FU6 will capture RFC scenarios that require the additional RFC authorizations. The checks for the authorizations should be activated by setting profile parameter rfc/authCheckInPlayback to 1 after the required user permissions are updated.

Note 3609271 addresses a high-risk information disclosure vulnerability in SAP GRC that could enable attackers to modify system credentials using a SMB Relay Attack. The vulnerability impacts the AC Plugin of SAP GRC.

Note 3606484 provides corrections for SAP Business Warehouse (BW) to prevent attackers from dropping arbitrary SAP tables, resulting in the loss of database records. The corrections remove vulnerable code in the impacted RFC function module.

Note 3610006 patches multiple memory corruption and session management vulnerabilities in the SAP Master Data Management (MDM) Server using randomized session token generation.

Note 3560693 applies input validation to address a stored cross-site scripting vulnerability in BI Workspace within SAP BusinessObjects Business Intelligence.

SAP Vulnerability Actively Exploited by Ransomware Groups and Threat Actors

Layer Seven on May 28, 2025

CVE-2025-31324 for the zero-day vulnerability in SAP NetWeaver was officially added to the Known Exploited Vulnerabilities (KEV) catalog by the United States Cybersecurity and Infrastructure Security Agency (CISA) on April 29. CVE-2025-42999 was also added to the KEV catalog on May 15. Both CVEs address critical vulnerabilities in the Visual Composer framework in SAP NetWeaver Java.

The vulnerabilities were added to the catalog based on evidence of active exploitation by threat actors reported by security researchers. The evidence indicates that exploitation attempts began in February this year. Some organizations have observed successful exploitation from March. On May 8, Forescout reported exploitation attempts for CVE-2025-31324 originating from China. On May 18, ReliaQuest confirmed that the Russian ransomware group BrianLan and another ransomware operator called RansomEXX were actively targeting the vulnerability. According to ReliaQuest, “The involvement of groups like BianLian and RansomEXX reflects the growing interest in weaponizing high-profile vulnerabilities for financial gain. These developments emphasize the urgent need for organizations to immediately apply patches, monitor suspicious activity, and strengthen defenses.”

SAP notes 3594142 and 3604119 and the supporting Knowledge Base Articles (KBAs) provide patches for supported versions of SAP NetWeaver Java. Manual instructions are provided in the notes for unsupported versions. Disabling the Visual Composer or the Development Server application are no longer the recommended solutions. The components should be removed by following the instructions in Option 0 of KBA 3593336.

The Cybersecurity Extension for SAP detects SAP solutions vulnerable to CVE-2025-31324 and CVE-2025-42999. It also detects and alerts for attempted and successful exploitation of the vulnerabilities based on relevant signatures and indicators of compromise.

SAP Security Notes, May 2025

Layer Seven on May 23, 2025

Hot news note 3594142 patches a critical missing authorization check in the development server of Visual Composer within SAP NetWeaver Application Server Java (AS Java). The note addresses CVE-2025-31324, a zero-day vulnerability discovered and reported by ReliaQuest on April 22. The note includes a correction for specific support packages of version 7.50 of AS Java. Workarounds are detailed in the Knowledge Base Article (KBA) 3593336 for earlier versions that are no longer maintained by SAP. The recommended workaround is the complete removal of the Visual Composer Metadata Uploader application using a telnet connection or the NetWeaver Development Studio. An Access Control List (ACL) in the ICM and/or network firewall rules can be applied to limit access to the Visual Composer if the component is required in AS Java systems. The steps are detailed in the KBA.

The corrections for CVE-2025-31324 can also be applied through note 3604119, which addresses a deserialization vulnerability in the Visual Composer. The note should be applied irrespective of the implementation status of note 3594142.

Note 3600859 disables a vulnerable remote-enabled function module in S/4HANA that can be exploited by threat actors to replace SAP programs including standard ABAP programs. The function module is not used by standard SAP processes. Calls to the function module will generate a dump after the correction in the note is applied.

Note 3578900 patches multiple vulnerabilities in SAP Supplier Relationship Management (SRM), including blind XML External Entity (XXE), reflected Cross-Site Scripting (XSS), and information disclosure. The vulnerabilities are due to a deprecated Java Applet used by SRM Live Auction.

Notes 3591978 and 3483344 provide corrections for high-priority missing authorization checks in SAP Landscape Transformation and SAP PDCE, respectively.

SAP Zero Day Vulnerability CVE-2025-31324 / Security Note 3594142

Layer Seven on April 28, 2025

On April 22, ReliaQuest released details of a zero-day vulnerability that the company discovered during investigations into customer incidents involving the upload and execution of malicious files in SAP NetWeaver Java systems. According to the findings of the investigation, threat actors were able to take full control of the target systems by exploiting a vulnerability in the Metadata Uploader endpoint within the Development Server of the Visual Composer component in SAP NetWeaver Java. The exploitation involved specific POST requests that led to the installation of JSP webshell files in the directory j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/. The webshells enabled threat actors to execute remote commands and obtain full control of SAP systems using the privileges of the SAP operating system user <SID>ADM.

The vulnerability was reported to SAP by ReliaQuest. SAP disclosed the vulnerability as CVE-2025-31324 on April 24 and released a patch in security note 3594142. The CVSS score for the CVE is 10/10 and the security note is rated hot news. The patch applies authentication and authorization to prevent unauthorized access and file upload.

Security note 3594142 provides an automated correction for version 7.50 of the Visual Composer Framework in NetWeaver Java systems. In accordance with the general SAP maintenance strategy, patches are only provided for support packages released within the last 24 months. Please refer to the SAP 24-Month Rule for SAP Security Patching for more information regarding the strategy. Versions 7.0-7.40 of SAP NetWeaver Java are no longer maintained by SAP. Mainstream maintenance for version 7.50 is available until the end of 2027. Extended maintenance will be offered until the end of 2030.

Visual Composer is available in all 7.x versions of SAP NetWeaver Java. Manual instructions are provided for versions lower than 7.50 in KBA 3593336. The recommended solution is to remove the vulnerable component by following the instructions in option 0 of the KBA. If the component is required, you can block access to the Development Server of the Visual Composer using either Access Control Lists (ACLs) defined for the Internet Communication Manager (ICM) or URL restrictions implemented using firewall rules.

Layer Seven Security has released an update for the Cybersecurity Extension for SAP to enable the detection of attempted and successful exploitation of CVE-2025-31324 in SAP NetWeaver Java Systems. This includes POST requests to the vulnerable component and discovering the presence of malicious files in target directories. The solution also checks version information for SAP NetWeaver Java to ensure systems are able to apply automated corrections from SAP rather than manual workarounds.

The 24-Month Rule for SAP Security Patching

Layer Seven on April 24, 2025

Regular patching is critical for protecting SAP software against security vulnerabilities. Security weaknesses are discovered by SAP through internal testing and testing performed by external researchers. The latter disclose vulnerabilities directly to the SAP Product Security Response Team and through the official SAP bug bounty program.

Once a vulnerability is identified or reported, it is validated and reviewed by SAP. Corrective measures can be automated or manual or a combination of both. Corrections are published as SAP security notes on the second Tuesday of each month. SAP provides several tools for discovering, analyzing and implementing required security notes including the SAP Support Portal, Maintenance Planner, System Recommendations, and Note Assistant.

Security notes are rated by SAP based on the severity of each vulnerability. Hot news notes address the most severe vulnerabilities in SAP solutions. Other severities include high, medium and low. SAP also uses the Common Vulnerability Scoring System (CVSS) to rate vulnerabilities. CVSS is a widely used standardized model for assessing vulnerabilities across all software solutions. CVSS scores of 9.0-10.0 and 7.0-8.9 are considered critical and high, respectively. Most vulnerabilities are scored by SAP using CVSS version 3.0. The CVSS score is based on a complex calculation that includes an assessment of multiple factors such as attack complexity, dependencies, user interaction, and the impact to data confidentiality, integrity, and availability. The values used to rate each factor and determine the score are included in the vector string for each vulnerability.

SAP is a CVE Numbering Authority (CNA). Most security notes are assigned a unique CVE and published by SAP in CVE databases. Therefore, SAP vulnerabilities are publicly disclosed even though SAP security notes can only be accessed through the SAP support portal. Some information in security notes is not publicly available. This includes details of workarounds where customers cannot or choose not to implement automated corrections. However, the majority of security notes do not include workarounds. Many older SAP security notes do not include a CVE. SAP became a CVE Numbering Authority in late 2017 and therefore older SAP vulnerabilities are not publicly disclosed.

There are two types of security notes, patch day notes and support package notes. Patch day notes address all vulnerabilities reported by external researchers, regardless of severity, and hot news vulnerabilities discovered internally by SAP with a very high (9.0+) CVSS rating. Support package notes address high, medium and low severity vulnerabilities discovered by SAP. Support package notes are implemented via SP fixes or upgrades. In accordance with the general SAP maintenance strategy, SAP only delivers support package notes for support packages shipped within the last 24 months. This is referred to as the 24-month rule. The rule took effect on June 11 2019 and extended the previous coverage period for support packages from 18 months. The impact of the rule is that software components patched up to SP levels where the support packages were released more than 24 months ago are not provided with SP fixes to remove low, medium and high severity vulnerabilities discovered internally by SAP. The vulnerabilities can only be addressed by performing an SP upgrade to a support package that is within the 24-month rule.

There are some exceptions to the 24-month rule. Some SAP products adhere to a product-specific maintenance strategy rather than the general strategy. This includes products such as SAP HANA, BW/4HANA, and SAP Kernel. The maintenance strategy for each product is documented in specific SAP notes. For example, note 2378962 includes the revision and maintenance strategy for SAP HANA version 2.0. HANA Support Package Stacks (SPS) that are out of maintenance are detailed in the note.

The Cybersecurity Extension for SAP automatically discovers software components with SP levels outside the 24-month rule. It enables customers to track the lifecycle of support packages to ensure software components are patched up to SP levels that are within the SAP maintenance window. Customers are therefore able to apply fixes for all available SAP security notes.

The Cybersecurity Extension for SAP also monitors SAP HANA to identify systems using Support Package Stacks that are out of maintenance, as well as SAP Kernels using outdated Kernel versions.

SAP Security Notes, April 2025

Layer Seven on April 9, 2025

Hot news 3581961 patches a critical command injection vulnerability in SAP S/4HANA. Attackers can exploit a vulnerable remote-enabled function module using RFC to create a backdoor that bypasses authorization checks and provides full administrative access to the system. All releases of S/4HANA on-premise and private cloud are impacted. Corrections are included in the support package referenced in the note for the S4CORE software component.

The vulnerability also impacts standalone SAP Landscape Transformation installations with the DMIS software component. Note 3587115 includes support packages for the relevant DMIS versions.

Hot news note 3572688 addresses a vulnerability that enables attackers to bypass authentication mechanisms to compromise the Admin account in SAP Financial Consolidation. The account is primarily used for initial installation and configuration, supporting system and user administration.

Note 3525794 deals with a high priority information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) that could lead to the leakage of passphrases for user authentication. The support packages included in the note remove access to passphrases from users. A workaround is also included in the note that involves disabling Trusted Authentication in the BOBJ Central Management Console.

Note 3554667 also addresses a high-risk information disclosure vulnerability. Attackers can discover credentials for RFC destinations in SAP NetWeaver AS ABAP using specific RFC calls. The kernel patches included in the note apply the required validation for dynamic destinations to fix the vulnerability. The vulnerability can also be addressed by disabling dynamic RFC destinations using the value setting 1 for profile parameter rfc/dynamic_dest_api_only.

Proposed Changes to the Security Rule for HIPAA Compliance

Layer Seven on March 26, 2025

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the United States that establishes minimum standards for securing Protected Health Information (PHI) including electronic PHI (ePHI). It applies to all organizations that store, process or transmit PHI for U.S citizens.

PHI includes specific personal and health identifiers such as names, email addresses, telephone numbers, significant dates such as dates of birth, social security numbers, medical record numbers, biometric information, and photographic images. While HIPAA is specific to U.S citizens, many other countries have enacted similar rules to safeguard health information. For example, countries in the European Union must comply with the General Data Protection Regulation (GDPR) to protect health-related personal data. Canadian organizations are covered by the Personal Information Protection and Electronic Documents Act (PIPEDA) that deals with the protection of personal information that includes health-related information.

HIPAA standards are defined in three separate Rules for Privacy, Security, and Breach Notification. The Privacy Rule applies to PHI. The Security Rule includes measures to protect the confidentiality, availability and integrity of ePHI. The Breach Notification Rule outlines reporting and disclosure requirements in the event of a breach of PHI or ePHI. Violations of the requirements of the rules can result in fines and civil penalties. Furthermore, the Office for Civil Rights (OCR) is empowered to conduct periodic audits of organizations to confirm compliance with HIPAA standards.

The Security Rule details 18 standards compromised of 42 specifications that organizations must comply with to protect ePHI from unauthorized access, modification or disclosure. This includes technical safeguards for authentication, access control, data transmission, encryption and auditing. The technical safeguards apply to all solutions handling ePHI. This can include SAP solutions.

The OCR issued a notice for proposed updates to the HIPAA Security Rule in December last year. The updates are intended to address current and emerging cyber threats. The changes include removing the distinction between required and “addressable” standards. This was used by some organizations to evade compliance. The revised Security Rule will limit exemptions.

The new Security Rule will also mandate vulnerability assessments every 6 months, penetration tests every 12 months, and annual compliance audits. Organizations will need to ensure the timely implementation of security patches and software updates by implementing critical patches within 15 days and high priority patches within 30 days. The Rule will also require the implementation of specific measures for encrypting data at rest and in transit, multi-factor authentication, anti-malware protection, and minimizing the attack surface for information systems. Organizations will also be required to implement technology to support real-time monitoring and incident response for systems.

The public comment period for the proposed changes to the Security Rule closed earlier this month. The OCR will review all 4,745 comments submitted by organizations and experts. There is currently no timeline for the implementation of the new Security Rule. However, the changes have bipartisan support and therefore are likely to be rolled out soon. Once the updated Rule takes effect, organizations are expected to have 180 days to comply with the new requirements.

The Cybersecurity Extension for SAP automates compliance audits for the technical safeguards of the HIPAA Security Rule. It detects compliance gaps for SAP solutions related to authentication, access control, unapplied security patches, auditing and other standards in HIPAA. The solution also supports compliance assessments for other security frameworks including GDPR, PCI-DSS and NIST, as well as SAP security standards such as the SAP Security Baseline, the S/4HANA Security Guide, and SAP Enterprise Cloud Services requirements for SAP RISE.

The Cybersecurity Extension for SAP performs threat detection for SAP solutions including alerting for suspected security breaches. Alerts can be investigated and reported using built-in incident response procedures. This supports compliance with security monitoring requirements and the Breach Notification Rule of HIPAA.

SAP Security Notes, March 2025

Layer Seven on March 11, 2025

Note 3563927 addresses a high-risk missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The correction included in the note restricts the ability to execute development functions using transaction SA38 from the ABAP Class Builder. SA38 enables program execution in AS ABAP. Authorization object S_PROGRAM is used to restrict access to programs executed using the transaction. The restriction is based on authorization groups. Therefore, programs must be assigned to authorization groups in order to apply restrictions. The Class Builder is used to create, maintain and test classes for ABAP objects, attributes and methods.

Note 3569602 patches a Cross-Site Scripting (XSS) vulnerability in SAP Commerce. The vulnerability arises from insufficient input validation in an open-source library included in SAP Commerce. The note includes a workaround that details steps for removing the use of the vulnerable component or blocking access to the component using network or host firewalls.

Vulnerabilities in open-source components also impact SAP Commerce Cloud. The vulnerabilities are addressed in note 3566851. SAP Commerce Cloud uses a version of Apache Tomcat that is vulnerable to Denial of Service (CVE-2024-38286) and unchecked error conditions (CVE-2024-52316).

Note 3567974 deals with an authentication bypass vulnerability that could be exploited using code injection in SAP Approuter. All SAP Approuter deployments in BTP are affected. SAP recommends updating deployments to version 16.7.2 or higher.

Note 3483344 was updated for components supporting PDCE in S/4HANA that are vulnerable to a missing authentication check. The components include S4CORE, S4COREOP and SEM-BW.