Layer Seven Security

Workarounds for SAP Security Notes

Corrections for Common Vulnerabilities and Exposures (CVEs) impacting SAP solutions are delivered via patch day notes and support packages released through the SAP Support Portal. In most cases, the corrections include automated fixes that are applied as updates or upgrades for impacted software components. Applying the automated fixes is the preferred method for addressing SAP CVEs. However, in some cases, it may not be possible to apply an automated fix. The corrections may have adverse side effects such as disabling or removing required services, programs or features. There may also be challenges related to applying prerequisite notes required to implement corrections. Corrections may require extensive testing or downtime, and it may not be possible to allocate the resources or schedule maintenance windows. Lastly, customers may not have access to corrections if, for example, their SAP solutions are supported and maintained by third parties instead of SAP.

For these reasons, it is often necessary to identify and apply workarounds for SAP CVEs. While SAP provides workarounds for some CVEs, primarily for critical hot news security notes, the majority of SAP CVEs do not include workarounds. However, it is often possible to identify potential workarounds by analysing the details of each note. Often details of impacted programs, reports, function modules, services, or other objects are reported in the Symptom and Solution sections of notes. Object names may also be disclosed in supporting FAQs for security notes, if available.

The section for Common Vulnerability Scoring System (CVSS) may also include indicators for potential workarounds. SAP provides a CVSS score for each note based on the values for each key in the framework. The values are included in the CVSS section. The vector string that includes values for each key are also disclosed in CVE databases. Values such as Local (L) for Attacker Vector (AV) may indicate that local access is required for vulnerability exploitation. In this case, network and host firewalls may be sufficient to block external access to SAP ports and services. The value High (H) for Privileges Required (PR) may suggest that administrative privileges are required and therefore restricting administrative access may mitigate the vulnerability.

Network filtering using firewalls and managing roles and authorizations are examples of workarounds that can be applied to address SAP CVEs. Other actions may include disabling vulnerable objects, and modifying system settings such as profile parameters to harden SAP systems and eliminate or lessen the exposure to vulnerabilities.

Monitoring and responding to indicators of compromise may also mitigate the risk of some CVEs. Based on the analysis of SAP notes, it may be possible to build and apply patterns for SAP logs using SIEM solutions to detect and alert for the potential exploitation of CVEs.

The Cybersecurity Extension for SAP automates the discovery of required SAP security notes based on installed software components and versions in each relevant system. It also includes workarounds for notes where customers are not able to implement automated corrections from SAP.  The solution also includes patterns for detecting and alerting for the exploitation of SAP CVEs. Alerts can be forwarded to SIEM solutions for centralized security monitoring and incident response.

SAP Security Notes, September 2025

Hot news note 3634501 patches a critical insecure deserialization vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java. The vulnerability can be exploited to perform arbitrary OS commands that could lead to the full compromise of AS Java systems. As a result, the vulnerability has a CVSS rating of 10/10. Since the vulnerability impacts the proprietary SAP P4 protocol, the patch provided in note 3634501 enforces secure deserialization and restricts the acceptance of untrusted Java objects via the RMI-P4 module. Workarounds are also provided in the note to bind the P4 listening port to specific authorized hosts. This is performed using the HOST field for profile parameter icm/server_port_<xx>. Restricting client connections to the ICM are also recommend using an Access Control List (ACL) also specified using the same parameter. The path for the ACL file should be defined using the ACLFILE option for icm/server_port_<xx>. Entries in the ACL file should follow the following syntax:

<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]

The following deny entry is recommend as the last rule in the ACL.

deny   0.0.0.0/0           # deny the rest

Hot news note 3643865 removes an unrestricted file upload vulnerability in AS Java that could be exploited to execute malicious code in files. The vulnerability impacts all versions of AS Java. However, the note only provides a fix for specific support pack levels of version 7.50. Earlier versions are no longer maintained by SAP.  For earlier versions, Knowledge Based Article (KBA) 3646072 includes a workaround for the vulnerability that involves disabling the vulnerable Deploy Web Service component by adding a startup filter.

Hot News note 3627373 provides a solution for a missing authentication check in SAP NetWeaver installations using IBM i operating systems. Installations using other operating systems are not effected by the vulnerability. SAP System IDs (SIDs) are impacted if they are sharing the same logical partition (LPAR) with other SIDs. Therefore, a possible workaround is to partition SIDs in separate LPARs. This will prevent the sharing of server resources such as CPU, memory and storage across multiple virtualized environments.

Notes 3635475 and 3633002 patch high-priority input validation vulnerabilities in SAP S/4HANA and SAP Landscape Transformation. The vulnerabilities could be exploited to delete the contents of database tables that are not protected by authorization groups.

Other high priority notes include note 3581811 for a directory traversal vulnerability in SAP NetWeaver and 3642961 for a information disclosure vulnerability in SAP Business One.

Layer Seven Security Named Top SAP Cybersecurity Protection Solution 2025

We are pleased to announce the Cybersecurity Review has selected the Cybersecurity Extension for SAP from Layer Seven Security as the Top SAP Cybersecurity Solution 2025. The international publication with almost 300,000 subscribers worldwide performed a detailed review of several solutions that provide cybersecurity coverage for SAP applications and infrastructure. This included solutions offered by providers such as Onapsis, Security Bridge, and Pathlock, as well as SAP solutions such as Enterprise Threat Detection (ETD) and Code Vulnerability Analyzer (CVA). The criteria included coverage and capabilities for areas such as SAP vulnerability management, compliance reporting, patch management, custom code security, threat detection and response, and anomaly detection.  

Other criteria included certification, deployment complexity and effort, maintenance, customer support, customization, integration with SIEM and incident management solutions, support for SAP RISE customers, user experience, and product roadmap. Licensing costs were also an important criteria given the recent drive for greater efficiency and lower costs in organizations.

The Cybersecurity Extension for SAP emerged as the leading solution across most of the criteria, specifically in areas such as coverage, support and licensing costs.

Coverage – The Cybersecurity Extension for SAP is the only solution in the market that delivers coverage for SAP vulnerability management, compliance reporting, patch management, custom code security, threat detection and response, and anomaly detection through a single integrated solution with a unified license. Other solutions require separate solutions or licenses for modular products. Some vendors such as SAP do not offer solutions for areas such as compliance reporting, patch management and vulnerability management.  

The Cybersecurity Extension for SAP also provides deeper coverage across the domains with higher volumes of checks and patterns for vulnerability and threat detection than competitors.

The ability of the solution to support database and operating system security for SAP systems was also identified as a key differentiator. The Cybersecurity Extension supports full-stack monitoring for SAP systems, whereas most alternative solutions support only the application layer.  This provides Layer Seven Security with an advantage in areas such as ransomware protection.

Certification – Earlier versions of the Cybersecurity Extension for SAP were certified for integration with SAP NetWeaver platforms. However, since the certification was discontinued by SAP, the solution is now certified for SAP HANA. The certification is performed by the SAP Integration and Certification Center and includes code reviews and testing performed by SAP.

Deployment Complexity and Effort – The Cybersecurity Extension for SAP benefits from a simplified architecture that does not require additional infrastructure including servers. This supports rapid deployment. The solution can be deployed as an addon to existing SAP systems including SAP GRC, BW, ECC, and S/4HANA. It can also be deployed to standalone SAP NetWeaver AS ABAP installations. The required addons are installed and configured within a few hours directly by SAP Basis administrators. Alternative solutions required additional servers and complex, time-intensive installation steps.

Maintenance – Content updates are provided by Layer Seven Security every month for new patches, vulnerability checks, and threat detection patterns. The updates can be performed in under 5 minutes with a few simple steps. Addon updates are provided on a quarterly cycle and include functional enhancements. They are applied using standard SAP steps for addon updates.

Customer Support – According to the Cybersecurity Review, customers singled out customer support as one of the strengths of Layer Seven Security. Customers commended the responsiveness of Layer Seven and valued the ability to reach out directly to dedicated engineers and developers without the need to go through regular support channels.

Customization – Layer Seven Security was also acknowledged by customers for their responsiveness to enhancement requests and customizations.  Requests were handled promptly and implemented swiftly, often without any additional charges.

SIEM/ Incident Management Integration – The Cybersecurity Extension for SAP supports seamless integration with a wide variety of Security Information and Event Management (SIEM) solutions including Splunk, QRadar, Sentinel and LogRhythm. Integration is simple and straightforward and flexible to accommodate to multiple scenarios. Integration with service desk solutions such as ServiceNow and Remedy is also supported.

Support for RISE – The addon approach was found to be particularly suitable for SAP RISE scenarios. Customers can deploy and maintain the addon directly to SAP RISE systems without the support of SAP Enterprise Cloud Services (ECS). Furthermore, customers do not need to request the provisioning and maintenance of additional infrastructure from SAP ECS.

User Experience – The Cybersecurity Extension for SAP provides an integrated user interface using SAP Fiori. The Fiori-based applications provide a consistent and intuitive experience for SAP users since they follow the identical design principles of standard SAP applications. SAP users can navigate effortlessly through the solution and extend and personalize the user experience.

Product Roadmap – The three-year roadmap for the Cybersecurity Extension for SAP was found to be well aligned with the evolving needs of SAP customers, particularly in the area of support for SAP cloud services such as BTP, SuccessFactors, and Cloud ALM.

Licensing Costs – Despite the leading position commanded by Layer Seven Security in areas such as coverage, deployment, maintenance, support, and user experience, the Cybersecurity Solution for SAP was found to be one of the most competitively priced solutions in the market. Licensing costs were considerably lower than alternatives including Onapsis and Security Bridge. Licensing was also more transparent and did not include hidden fees and up-charges. Overall, the Cybersecurity Review determined that the Cybersecurity Extension for SAP offered the optimal cybersecurity protection for SAP solutions with the lowest total cost of ownership.

An official announcement by the Cybersecurity Review is expected in the coming weeks of the selection of the Cybersecurity Extension for SAP as the official Top SAP Cybersecurity Solution 2025. The management team at Layer Seven Security would like to recognize the dedication and efforts of all employees for the acknowledgment and the continued support of our customers and partners.

SAP Security Notes, August 2025

Hot news notes 3581961 and 3627998 patch critical code injection vulnerabilities in SAP S/4HANA. Both notes have CVSS scores of 9.9/10. The vulnerabilities impact the function modules /SLOAP/GEN_MODULE_REPORT and /SLOAE/DEPLOY that can be exploited to install backdoors that bypass authorization checks. The function modules are used for reporting and analysis and are included in S4CORE.

Note 3633838 patches an equally critical code injection vulnerability in the Analysis Platform of SAP Landscape Transformation.

Note 3611184 addresses high risk memory corruption and reflected cross-site scripting (XSS) vulnerabilities in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities impact BIC documents used for batch processing. As a workaround, the BIC ICF service can be deactivated using transaction SICF.

Note 3602656 patches a privilege escalation vulnerability in NetWeaver AS ABAP  by improving permissions for the barcode interface using authorization object S_WFAR_OBJ.

Note 3601480 provides a kernel patch to prevent the logging of sensitive tokens in HTTP logs for the Internet Communication Manager (ICM) in NetWeaver AS ABAP. The vulnerability can also be addressed by avoiding the use of specific log formats using profile parameter icm/HTTP_logging_0. 

Cybersecurity Extension for SAP, NetWeaver Edition

Layer Seven Security is pleased to announce the official release of the Cybersecurity Extension for SAP, NetWeaver Edition. The release enables organizations to secure and monitor business-critical SAP applications without the need for Application Lifecycle Management (ALM) platforms such as SAP Solution Manager, SAP Focused Run, and Cloud ALM. The NetWeaver Edition can be deployed directly to SAP NetWeaver AS ABAP systems including SAP GRC, SAP ERP, and SAP S/4HANA.

The Cybersecurity Extension for SAP was originally developed as an addon for SAP ALM platforms. This supported rapid deployment and ease of maintenance since the Extension leveraged existing components and connections in ALM solutions, especially SAP Solution Manager (SolMan). However, SolMan is nearing the end of mainstream maintenance, scheduled for December 31 2027. Based on this, Layer Seven Security decided to redesign the Cybersecurity Extension for SAP starting in 2024 to operate independently of SolMan components such as the Extractor Framework, Configuration and Change Database (CCDB), System Recommendations, and the Monitoring and Alerting Infrastructure (MAI) including System Monitoring, as well as SolMan agents such as the Diagnostics Agent (DA). Similar components and agents are used in SAP Focused Run (FRUN). This initiative was completed successfully in July 2025. As a result, the Cybersecurity Extension for SAP can now be deployed to any NetWeaver AS ABAP system, version 7.40 or higher. The solution no longer requires ALM platforms such as SolMan and FRUN.

The NetWeaver Edition is available for all new customers of the Cybersecirty Extension for SAP. Existing customers can migrate to the NetWeaver Edition immediately or at any time before the end of mainstream maintenance for SolMan. The NetWeaver Edition also supports customers in SAP RISE and does not require external connections or integration with SAP Cloud ALM.

The first release of the NetWeaver Edition includes the full suite of core applications for SAP vulnerability management, patch management, custom code security, compliance reporting, and threat detection including security alerting and forensics. It supports all SAP ABAP and HANA solutions and SAP ASE databases. This includes SAP ECC and S/4HANA.

The second release scheduled for September 2025 will extend the coverage to include SAP AS Java, SAP Cloud Connector, SAProuter, SAP Web Dispatcher, and SAP Cloud Services including SAP BTP. It will also include applications such as Anomaly Detection and Trend Analysis.

Full parity between the NetWeaver and SolMan editions of the Cybersecurity Extension for SAP is targeted for December 2025. This includes support for operating system and database security for cross-stack monitoring of SAP systems.  

SAP Security Notes, July 2025

There are multiple hot news notes released in July for insecure deserialization vulnerabilities in SAP NetWeaver AS Java solutions and components. The vulnerabilities arise from the processing of untrusted user-provided serialized data without adequate input validation. This can lead to malicious code execution and authentication bypass. Notes 3610892, 3621236, 3620498 and 3621771 correct deserialization vulnerabilities in the XML Data Archiving Service, Enterprise Portal Administration, Federated Portal Network, and the Log Viewer, respectively. Workarounds are provided where available, including instructions for disabling the LogViewer. Note that log files can be analyzed directly in the file system or using SAP Management Console (SAP MMC) after it is disabled.

Note 3578900 addresses an insecure deserialization vulnerability in the Live Auction Cockpit of SAP Supplier Relationship Management (SRM). The CVSS score for the vulnerability is rated 10.0. The note also addresses other lower-priority vulnerabilities in SRM including XML External Entity (XXE), Cross-site Scripting (XSS), Open Redirect, and Information Disclosure.

Note 3618955 patches a critical code injection vulnerability in SAP S/4HANA and SAP SCM that could enable attackers to take full control of the SAP solutions through the creation and execution of reports containing malicious code.

Note 3623440 introduces additional authorization checks using object S_RZL_ADM with activity 01 to remove a vulnerability that could lead to an escalation of privileges in SAP NetWeaver AS ABAP.

Note 3623255 applies authorization checks using object SCRMMW for a vulnerable function module that could be exploited to trigger a denial of service in SAP Business Warehouse (BW).

Other important notes include 3565279 which patches older versions of Apache Struts in SAP BusinessObjects Business Intelligence (BOBJ) that are vulnerable to an insecure file operations vulnerability, and 3610591 for a directory traversal vulnerability in SAP NetWeaver Visual Composer.  

What’s New in the Cybersecurity Extension for SAP, Version 5.3

The new release of the Cybersecurity Extension for SAP (CES) is in general availability and includes several important enhancements for SAP vulnerability management and threat detection.

Version 5.3 includes patterns for detecting indicators of compromise in the SAP Cloud Connector. The Connector is an agent that links SAP BTP applications with on-premise SAP systems. As a reverse proxy, it enables internal systems to connect securely with BTP services without exposing the systems to direct external access. The new release of CES includes alerts for security-related events in the Cloud Connector including configuration changes, changes to the Administrator account including passwords, changes to connected BTP subaccounts and backend systems, the activation of traces, settings for logging and auditing, role changes, certificates, LDAP, SNC, and other areas. application changes, remote logins, role changes, role grants to users, and cloud transports. The alerts can be integrated with SIEM solutions for centralized monitoring.

The new release also supports concurrent compliance analysis for multiple systems and includes updates for the SAP RISE, SAP Security Baseline and HIPAA frameworks. Mandatory security parameters and hardening requirements for SAP RISE customers were updated by SAP Enterprise Cloud Services (ECS) in June.

Version 5.3 includes the emergency updates that were released earlier for CVE-2025-31324. This includes patterns for the detection of attempted and successful exploitation of the zero-day vulnerability in SAP AS Java.

Extended checks have been introduced for the execution and logging of OS commands performed using the sapxpg program. sapxpg is a program controller that executes external programs and commands from SAP at the OS level.  

Finally, version 5.3 includes checks for the discovery of out-of-maintenance software components in SAP solutions. In accordance with the general SAP maintenance strategy, SAP only delivers support package notes for support packages shipped within the last 24 months. This is referred to as the 24-month rule. The rule took effect on June 11 2019 and extended the previous coverage period for support packages from 18 months. There are some exceptions to the rule, including SAP HANA, BW/4HANA, and SAP Kernel. The impact of the rule is that software components patched up to SP levels where the support packages were released more than 24 months ago are not provided with SP fixes to remove low, medium and high severity vulnerabilities discovered internally by SAP. The vulnerabilities can only be addressed by performing an SP upgrade to a support package that is within the 24-month rule.

SAP Security Notes, June 2025

Hot news note 3600840 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The vulnerability is due to the failure to check the RFC start authorization S_RFC for transactional (tRFC) and queued RFC (qRFC) calls during the playback of recorded RFCs. It impacts Kernel versions 789, 793, 914 and 915 for AS ABAP. Note 3600840 applies additional authorization checks for tRFC and qRFC calls to address the vulnerability. The note is supported by Knowledge Base Article (KBA) 3601919. According to the KBA, once the note and Kernel patches are applied, the event ID FU6 should be activated in the security audit log. FU6 will capture RFC scenarios that require the additional RFC authorizations. The checks for the authorizations should be activated by setting profile parameter rfc/authCheckInPlayback to 1 after the required user permissions are updated.

Note 3609271 addresses a high-risk information disclosure vulnerability in SAP GRC that could enable attackers to modify system credentials using a SMB Relay Attack. The vulnerability impacts the AC Plugin of SAP GRC.

Note 3606484 provides corrections for SAP Business Warehouse (BW) to prevent attackers from dropping arbitrary SAP tables, resulting in the loss of database records. The corrections remove vulnerable code in the impacted RFC function module.

Note 3610006 patches multiple memory corruption and session management vulnerabilities in the SAP Master Data Management (MDM) Server using randomized session token generation.

Note 3560693 applies input validation to address a stored cross-site scripting vulnerability in BI Workspace within SAP BusinessObjects Business Intelligence.

SAP Vulnerability Actively Exploited by Ransomware Groups and Threat Actors

CVE-2025-31324 for the zero-day vulnerability in SAP NetWeaver was officially added to the Known Exploited Vulnerabilities (KEV) catalog by the United States Cybersecurity and Infrastructure Security Agency (CISA) on April 29. CVE-2025-42999 was also added to the KEV catalog on May 15. Both CVEs address critical vulnerabilities in the Visual Composer framework in SAP NetWeaver Java.  

The vulnerabilities were added to the catalog based on evidence of active exploitation by threat actors reported by security researchers. The evidence indicates that exploitation attempts began in February this year.  Some organizations have observed successful exploitation from March. On May 8, Forescout reported exploitation attempts for CVE-2025-31324 originating from China. On May 18, ReliaQuest confirmed that the Russian ransomware group BrianLan and another ransomware operator called RansomEXX were actively targeting the vulnerability. According to ReliaQuest, “The involvement of groups like BianLian and RansomEXX reflects the growing interest in weaponizing high-profile vulnerabilities for financial gain. These developments emphasize the urgent need for organizations to immediately apply patches, monitor suspicious activity, and strengthen defenses.”

SAP notes 3594142 and 3604119 and the supporting Knowledge Base Articles (KBAs) provide patches for supported versions of SAP NetWeaver Java. Manual instructions are provided in the notes for unsupported versions. Disabling the Visual Composer or the Development Server application are no longer the recommended solutions. The components should be removed by following the instructions in Option 0 of KBA 3593336.  

The Cybersecurity Extension for SAP detects SAP solutions vulnerable to CVE-2025-31324 and CVE-2025-42999. It also detects and alerts for attempted and successful exploitation of the vulnerabilities based on relevant signatures and indicators of compromise.

SAP Security Notes, May 2025

Hot news note 3594142 patches a critical missing authorization check in the development server of Visual Composer within SAP NetWeaver Application Server Java (AS Java). The note addresses CVE-2025-31324, a zero-day vulnerability discovered and reported by ReliaQuest on April 22. The note includes a correction for specific support packages of version 7.50 of AS Java. Workarounds are detailed in the Knowledge Base Article (KBA) 3593336 for earlier versions that are no longer maintained by SAP. The recommended workaround is the complete removal of the Visual Composer Metadata Uploader application using a telnet connection or the NetWeaver Development Studio. An Access Control List (ACL) in the ICM and/or network firewall rules can be applied to limit access to the Visual Composer if the component is required in AS Java systems. The steps are detailed in the KBA.

The corrections for CVE-2025-31324 can also be applied through note 3604119, which addresses a deserialization vulnerability in the Visual Composer. The note should be applied irrespective of the implementation status of note 3594142.

Note 3600859 disables a vulnerable remote-enabled function module in S/4HANA that can be exploited by threat actors to replace SAP programs including standard ABAP programs. The function module is not used by standard SAP processes. Calls to the function module will generate a dump after the correction in the note is applied.

Note 3578900 patches multiple vulnerabilities in SAP Supplier Relationship Management (SRM), including blind XML External Entity (XXE), reflected Cross-Site Scripting (XSS), and information disclosure. The vulnerabilities are due to a deprecated Java Applet used by SRM Live Auction.

Notes 3591978 and 3483344 provide corrections for high-priority missing authorization checks in SAP Landscape Transformation and SAP PDCE, respectively.