On April 22, ReliaQuest released details of a zero-day vulnerability that the company discovered during investigations into customer incidents involving the upload and execution of malicious files in SAP NetWeaver Java systems. According to the findings of the investigation, threat actors were able to take full control of the target systems by exploiting a vulnerability in the Metadata Uploader endpoint within the Development Server of the Visual Composer component in SAP NetWeaver Java. The exploitation involved specific POST requests that led to the installation of JSP webshell files in the directory j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/. The webshells enabled threat actors to execute remote commands and obtain full control of SAP systems using the privileges of the SAP operating system user <SID>ADM.
The vulnerability was reported to SAP by ReliaQuest. SAP disclosed the vulnerability as CVE-2025-31324 on April 24 and released a patch in security note 3594142. The CVSS score for the CVE is 10/10 and the security note is rated hot news. The patch applies authentication and authorization to prevent unauthorized access and file upload.
Security note 3594142 provides an automated correction for version 7.50 of the Visual Composer Framework in NetWeaver Java systems. In accordance with the general SAP maintenance strategy, patches are only provided for support packages released within the last 24 months. Please refer to the SAP 24-Month Rule for SAP Security Patching for more information regarding the strategy. Versions 7.0-7.40 of SAP NetWeaver Java are no longer maintained by SAP. Mainstream maintenance for version 7.50 is available until the end of 2027. Extended maintenance will be offered until the end of 2030.
Visual Composer is available in all 7.x versions of SAP NetWeaver Java. Workarounds for versions lower than 7.50 are detailed in KBA 3593336. The workarounds include options for disabling Visual Composer, disabling the application alias for the Development Server, or blocking access to the Development Server using either Access Control Lists (ACLs) defined for the Internet Communication Manager (ICM) or URL restrictions implemented using firewall rules.
Layer Seven Security has released an update for the Cybersecurity Extension for SAP to enable the detection of attempted and successful exploitation of CVE-2025-31324 in SAP NetWeaver Java Systems. This includes POST requests to the vulnerable component and discovering the presence of malicious files in target directories. The solution also checks version information for SAP NetWeaver Java to ensure systems are able to apply automated corrections from SAP rather than manual workarounds.
Regular patching is critical for protecting SAP software against security vulnerabilities. Security weaknesses are discovered by SAP through internal testing and testing performed by external researchers. The latter disclose vulnerabilities directly to the SAP Product Security Response Team and through the official SAP bug bounty program.
Once a vulnerability is identified or reported, it is validated and reviewed by SAP. Corrective measures can be automated or manual or a combination of both. Corrections are published as SAP security notes on the second Tuesday of each month. SAP provides several tools for discovering, analyzing and implementing required security notes including the SAP Support Portal, Maintenance Planner, System Recommendations, and Note Assistant.
Security notes are rated by SAP based on the severity of each vulnerability. Hot news notes address the most severe vulnerabilities in SAP solutions. Other severities include high, medium and low. SAP also uses the Common Vulnerability Scoring System (CVSS) to rate vulnerabilities. CVSS is a widely used standardized model for assessing vulnerabilities across all software solutions. CVSS scores of 9.0-10.0 and 7.0-8.9 are considered critical and high, respectively. Most vulnerabilities are scored by SAP using CVSS version 3.0. The CVSS score is based on a complex calculation that includes an assessment of multiple factors such as attack complexity, dependencies, user interaction, and the impact to data confidentiality, integrity, and availability. The values used to rate each factor and determine the score are included in the vector string for each vulnerability.
SAP is a CVE Numbering Authority (CNA). Most security notes are assigned a unique CVE and published by SAP in CVE databases. Therefore, SAP vulnerabilities are publicly disclosed even though SAP security notes can only be accessed through the SAP support portal. Some information in security notes is not publicly available. This includes details of workarounds where customers cannot or choose not to implement automated corrections. However, the majority of security notes do not include workarounds. Many older SAP security notes do not include a CVE. SAP became a CVE Numbering Authority in late 2017 and therefore older SAP vulnerabilities are not publicly disclosed.
There are two types of security notes, patch day notes and support package notes. Patch day notes address all vulnerabilities reported by external researchers, regardless of severity, and hot news vulnerabilities discovered internally by SAP with a very high (9.0+) CVSS rating. Support package notes address high, medium and low severity vulnerabilities discovered by SAP. Support package notes are implemented via SP fixes or upgrades. In accordance with the general SAP maintenance strategy, SAP only delivers support package notes for support packages shipped within the last 24 months. This is referred to as the 24-month rule. The rule took effect on June 11 2019 and extended the previous coverage period for support packages from 18 months. The impact of the rule is that software components patched up to SP levels where the support packages were released more than 24 months ago are not provided with SP fixes to remove low, medium and high severity vulnerabilities discovered internally by SAP. The vulnerabilities can only be addressed by performing an SP upgrade to a support package that is within the 24-month rule.
There are some exceptions to the 24-month rule. Some SAP products adhere to a product-specific maintenance strategy rather than the general strategy. This includes products such as SAP HANA, BW/4HANA, and SAP Kernel. The maintenance strategy for each product is documented in specific SAP notes. For example, note 2378962 includes the revision and maintenance strategy for SAP HANA version 2.0. HANA Support Package Stacks (SPS) that are out of maintenance are detailed in the note.
The Cybersecurity Extension for SAP automatically discovers software components with SP levels outside the 24-month rule. It enables customers to track the lifecycle of support packages to ensure software components are patched up to SP levels that are within the SAP maintenance window. Customers are therefore able to apply fixes for all available SAP security notes.
The Cybersecurity Extension for SAP also monitors SAP HANA to identify systems using Support Package Stacks that are out of maintenance, as well as SAP Kernels using outdated Kernel versions.
Hot news 3581961 patches a critical command injection vulnerability in SAP S/4HANA. Attackers can exploit a vulnerable remote-enabled function module using RFC to create a backdoor that bypasses authorization checks and provides full administrative access to the system. All releases of S/4HANA on-premise and private cloud are impacted. Corrections are included in the support package referenced in the note for the S4CORE software component.
The vulnerability also impacts standalone SAP Landscape Transformation installations with the DMIS software component. Note 3587115 includes support packages for the relevant DMIS versions.
Hot news note 3572688 addresses a vulnerability that enables attackers to bypass authentication mechanisms to compromise the Admin account in SAP Financial Consolidation. The account is primarily used for initial installation and configuration, supporting system and user administration.
Note 3525794 deals with a high priority information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) that could lead to the leakage of passphrases for user authentication. The support packages included in the note remove access to passphrases from users. A workaround is also included in the note that involves disabling Trusted Authentication in the BOBJ Central Management Console.
Note 3554667 also addresses a high-risk information disclosure vulnerability. Attackers can discover credentials for RFC destinations in SAP NetWeaver AS ABAP using specific RFC calls. The kernel patches included in the note apply the required validation for dynamic destinations to fix the vulnerability. The vulnerability can also be addressed by disabling dynamic RFC destinations using the value setting 1 for profile parameter rfc/dynamic_dest_api_only.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the United States that establishes minimum standards for securing Protected Health Information (PHI) including electronic PHI (ePHI). It applies to all organizations that store, process or transmit PHI for U.S citizens.
PHI includes specific personal and health identifiers such as names, email addresses, telephone numbers, significant dates such as dates of birth, social security numbers, medical record numbers, biometric information, and photographic images. While HIPAA is specific to U.S citizens, many other countries have enacted similar rules to safeguard health information. For example, countries in the European Union must comply with the General Data Protection Regulation (GDPR) to protect health-related personal data. Canadian organizations are covered by the Personal Information Protection and Electronic Documents Act (PIPEDA) that deals with the protection of personal information that includes health-related information.
HIPAA standards are defined in three separate Rules for Privacy, Security, and Breach Notification. The Privacy Rule applies to PHI. The Security Rule includes measures to protect the confidentiality, availability and integrity of ePHI. The Breach Notification Rule outlines reporting and disclosure requirements in the event of a breach of PHI or ePHI. Violations of the requirements of the rules can result in fines and civil penalties. Furthermore, the Office for Civil Rights (OCR) is empowered to conduct periodic audits of organizations to confirm compliance with HIPAA standards.
The Security Rule details 18 standards compromised of 42 specifications that organizations must comply with to protect ePHI from unauthorized access, modification or disclosure. This includes technical safeguards for authentication, access control, data transmission, encryption and auditing. The technical safeguards apply to all solutions handling ePHI. This can include SAP solutions.
The OCR issued a notice for proposed updates to the HIPAA Security Rule in December last year. The updates are intended to address current and emerging cyber threats. The changes include removing the distinction between required and “addressable” standards. This was used by some organizations to evade compliance. The revised Security Rule will limit exemptions.
The new Security Rule will also mandate vulnerability assessments every 6 months, penetration tests every 12 months, and annual compliance audits. Organizations will need to ensure the timely implementation of security patches and software updates by implementing critical patches within 15 days and high priority patches within 30 days. The Rule will also require the implementation of specific measures for encrypting data at rest and in transit, multi-factor authentication, anti-malware protection, and minimizing the attack surface for information systems. Organizations will also be required to implement technology to support real-time monitoring and incident response for systems.
The public comment period for the proposed changes to the Security Rule closed earlier this month. The OCR will review all 4,745 comments submitted by organizations and experts. There is currently no timeline for the implementation of the new Security Rule. However, the changes have bipartisan support and therefore are likely to be rolled out soon. Once the updated Rule takes effect, organizations are expected to have 180 days to comply with the new requirements.
The Cybersecurity Extension for SAP automates compliance audits for the technical safeguards of the HIPAA Security Rule. It detects compliance gaps for SAP solutions related to authentication, access control, unapplied security patches, auditing and other standards in HIPAA. The solution also supports compliance assessments for other security frameworks including GDPR, PCI-DSS and NIST, as well as SAP security standards such as the SAP Security Baseline, the S/4HANA Security Guide, and SAP Enterprise Cloud Services requirements for SAP RISE.
The Cybersecurity Extension for SAP performs threat detection for SAP solutions including alerting for suspected security breaches. Alerts can be investigated and reported using built-in incident response procedures. This supports compliance with security monitoring requirements and the Breach Notification Rule of HIPAA.
Note 3563927 addresses a high-risk missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The correction included in the note restricts the ability to execute development functions using transaction SA38 from the ABAP Class Builder. SA38 enables program execution in AS ABAP. Authorization object S_PROGRAM is used to restrict access to programs executed using the transaction. The restriction is based on authorization groups. Therefore, programs must be assigned to authorization groups in order to apply restrictions. The Class Builder is used to create, maintain and test classes for ABAP objects, attributes and methods.
Note 3569602 patches a Cross-Site Scripting (XSS) vulnerability in SAP Commerce. The vulnerability arises from insufficient input validation in an open-source library included in SAP Commerce. The note includes a workaround that details steps for removing the use of the vulnerable component or blocking access to the component using network or host firewalls.
Vulnerabilities in open-source components also impact SAP Commerce Cloud. The vulnerabilities are addressed in note 3566851. SAP Commerce Cloud uses a version of Apache Tomcat that is vulnerable to Denial of Service (CVE-2024-38286) and unchecked error conditions (CVE-2024-52316).
Note 3567974 deals with an authentication bypass vulnerability that could be exploited using code injection in SAP Approuter. All SAP Approuter deployments in BTP are affected. SAP recommends updating deployments to version 16.7.2 or higher.
Note 3483344 was updated for components supporting PDCE in S/4HANA that are vulnerable to a missing authentication check. The components include S4CORE, S4COREOP and SEM-BW.
The SAP Cloud Connector is an agent that links SAP BTP applications with on-premise SAP systems. As a reverse proxy, it enables internal systems to connect securely with BTP services without exposing the systems to direct external access. Permitted connections between BTP resources and backend systems can be maintained directly in the Cloud Connector rather than network firewalls. The Cloud Connector supports HTTP and RFC connections between BTP and SAP systems, as well as direct database connections.
The Connector links directly to external services. Therefore, it should be positioned in a DMZ and segmented from internal SAP systems. Since the DMZ is a separate physical or logical network, segmentation would protect internal SAP systems in the event of a compromise in the Cloud Connector. Systems in SAP landscapes should be configured to accept requests only from trusted Connectors. A failover instance of the Connector is recommended for high availability. This is known as a Shadow Connection, maintained in the High Availability section of the Connector UI.
The Connector should be installed in a dedicated server that does not share resources with other services, especially application services. Access to the Cloud Connector at the OS level should be restricted and OS auditing should be enabled to monitor file operations for the Connector. This includes the Secure Storage in the File System (SSFS) that stores encryption keys and other sensitive data for the Connector. It is also recommended to enable hard-drive encryption for the server hosting the Connector. This will safeguard sensitive configuration data against the unauthorized access and changes. Separate Cloud Connector instances are recommended for connecting to productive and non-productive subaccounts in BTP.
The Connector uses file-based authentication which cannot support multiple users. It is delivered with a single Administrator user that has full administrative rights for the Connector. LDAP-based user authentication should be configured to support multiple users and avoid the use of the Administrator user as a shared account. This would also support traceability for user actions and more granular access control by allowing the use of display and monitoring roles that do not include administrative privileges.
The Administrator user is shipped with a well-known default password. The password is stored as a hash in the file system. Although the Connector prompts users to change the password during installation, it is critical to monitor changes to the Administrator account to ensure that the password does not revert back to the default. This could lead to the compromise of the Administrator account and therefore the Cloud Connector.
Connections from SAP BTP to the Cloud Connector are SSL-encrypted. Currently, supported protocols are HTTP, HTTPS, RFC, RFC with SNC, LDAP, LDAPS, TCP, and TCP over TLS. Connections from the Connector to backend systems should be authenticated and encrypted. Therefore, HTTPS and RFC SNC are recommended over HTTP and RFC. Permissions for technical users should granted based on the principle of least privilege and should not include full administrative rights. Whitelisting is also recommended to restrict access to only the required BTP applications for each subaccount and resources in backend systems.
The self-signed X.509 certificate used for the Connector UI should be replaced by a certificate issued by a certificate authority. Supported TLS ciphers for UI certificates should be SHA256 or greater bit length. Support for less secure ciphers should be disabled in the configuration of the Connector.
The audit log level should be set to SECURITY (default) or ALL. It should not be set to OFF. The value SECURITY will lead the Connector to log blocked requests and configuration changes. The value ALL will enable the Connector to log all requests including successful connections. Logs are stored in the file system. A separate file is created for each day. Deletion of older log files can be enabled using the setting Automatic Cleanup setting in the Audits section of the Administration UI. The Cloud Connector includes a script to verify the integrity of the audit logs and protect against log tampering. The location of the log files can be modified from the default directory, although the performance of the Connector may be impacted if you change the location from the host for the Connector to another server in the network.
HTTP and RFC traces enabled through the Connector may disclose sensitive information such as passwords and credit card data to Administrators. This can be mitigated by requiring two separate users to activate a trace. The file writeHexDump must be created in the scc_config directory for Connectors installed in Linux hosts. The owner of the file must be different than the OS user for Connector processes and not a member of the OS user group sccgroup. The owner of the file will be required to change the file content from allowed=false to allowed=true before an administrator can activate a trace.
Each version of the Cloud Connector is supported by SAP for only 12 months. Therefore, the Connector should be upgraded regularly. It should also be upgraded regularly in response to security notes for the Connector released by SAP. This includes Hot News note 2696233 that deals with multiple critical vulnerabilities in the Cloud Connector. Version 2.11.3 or higher is required to address the vulnerabilities in the note.
The SAP Cloud Connector is an important interface between SAP cloud services and on-premise systems in today’s hybrid SAP landscapes. As an external-facing agent with access to business-critical internal SAP systems, securing the Connector is essential to protect SAP solutions from targeted attacks. The Cybersecurity Extension for SAP automatically scans and detects security misconfigurations and user-related issues in the SAP Cloud Connector that may expose the Connector to such attacks. It also monitors the patch level to ensure the Connector stays updated to the recommended version in response to security vulnerabilities. Finally, the Cybersecurity Extension for SAP monitors the audit log for the Cloud Connector to automatically alert for security incidents. This includes configuration changes, changes to the Administrator account including passwords, changes to connected BTP subaccounts and backend systems, the activation of traces, settings for logging and auditing, role changes, certificates, LDAP, SNC, and many other areas.
Note 3417627 was updated in February to patch a high-risk cross-site scripting vulnerability in the User Admin application of SAP NetWeaver AS Java. The vulnerability is to due to insufficient input validation and improper encoding. This allows an unauthenticated attacker to craft links containing malicious scripts. When a victim clicks on such a link, the script executes in the victim’s browser, potentially leading to unauthorized access or modification of sensitive information. Note 3557138 provides updated corrections to address the vulnerability.
Note 3525794 deals with an information disclosure vulnerability in the Central Management Console of the SAP BusinessObjects Business Intelligence platform. Attackers with administrative rights can generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. The correction in the note removes the ability of administrators to access passphrases.
Note 3567551 resolves a path traversal vulnerability in the Master Data Management Catalog of SAP Supplier Relationship Management. The correction in the note sanitizes the triggered Input URL path and prevents attackers from downloading arbitrary files from remote systems.
Note 3563929 patches a Open Redirect Vulnerability in SAP HANA extended application services. The User Account and Authentication service (UAA) for SAP HANA extended application services, advanced model (SAP HANA XS advanced model) allows an unauthenticated attacker to craft a malicious link, that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirect URL validation. The note applies validation of redirect URLs to prevent exploitation.
The recent impact of the ransomware attack at Stoli Group USA serves as a stark reminder of the importance of protecting ERP systems against cyber attack. Stoli Group USA, which imports and distributes liquor brands in the U.S., filed for Chapter 11 protection at the end of November.
Stoli suffered a data breach as a result of a ransomware attack in August 2024 that caused severe disruptions to its global business. The attack disabled the organizations Enterprise Resource Planning (ERP) system, forcing it to rely on manual bookkeeping for critical business activities. Stoli said that its centralized ERP systems would not be restored until at least the first quarter of 2025. The reliance on manual processes for business functions including accounting meant that the company could not comply with debt reporting requirements for its lenders, leading directly to the bankruptcy filing.
According to annual State of Ransomware report based on a study of 5,000 organizations across 14 countries, 59% of organizations experience ransomware attacks. Recovery costs increased by 50% in 2024 from the prior year. 56% of organizations report paying ransoms to recover data. Average ransom payments rose from $400,000 in 2023 to $2M in 2024.
The Cybersecurity Extension for SAP provides industry-leading protection for SAP ERP solutions including S/4HANA against cyber attacks including ransomware. The SAP-certified solution automates vulnerability management, patch management, custom code security, and threat detection and response to protect business-critical SAP solutions.
Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that enables attackers to exploit authentication weaknesses in the platform to compromise credentials in internal RFC communications and execute commands using the stolen credentials. The vulnerability carries a CVSS base score of 9.9/10. The attack vectors to exploit the vulnerability are relatively non-complex and do not require any privileges in target SAP systems. The solution requires the implementation of a kernel patch. There are no workarounds for the vulnerability.
Hot news note 3550708 addresses an equally high-risk information disclosure vulnerability in NetWeaver AS ABAP. Attackers can exploit insufficient authentication in the Internet Communication Framework (ICF) to access restricted information. This can have a significant impact on confidentiality, integrity, and availability. The root cause of the vulnerability is the inclusion of a testing utility in NetWeaver AS ABAP that was not intended for customer delivery. The solution included in the note disables the execution of transaction SA38 by the impacted programs. Access to transaction SA38 can be restricted as a workaround.
Note 3550816 deals with a high-risk SQL injection vulnerability in NetWeaver AS ABAP. Attackers can exploit vulnerable RFC functions to access Informix databases. The solution deactivates the vulnerable functions. A workaround can be implemented to mitigate the vulnerability by restricting access to the execution of remote-enabled function modules in function group SDBI. This can be performed using authorization object S_RFC.
Note 3474398 patches multiple vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ) Platform. This includes information disclosure that can lead to session hijacking, and code injection that can enable attackers to inject and execute malicious JavaScript code.
Note 3542533 resolves a DLL hijacking vulnerability in SAPSetup that could enable attackers to escalate privileges in Windows servers and compromise active directories. SAPSetup supports the installation, updating, and maintenance of SAP software in Microsoft Windows. The solution in the note fixes permissions for relevant temporary directories.
Security notes are released by SAP on the second Tuesday of every month to address vulnerabilities in SAP solutions. The vulnerabilities are discovered by external security researchers and reported as part of SAP’s disclosure program. They are also discovered directly by SAP through its’s ongoing research and testing. Security notes are scored by SAP using version 3.0 of the Common Vulnerability Scoring System (CVSS). CVSS generates a score from 0 to 10 based on the severity of the vulnerability. SAP also assigns a priority level for each note. Critical notes are categorized as hot news.
There were over 150 security notes released in 2024 to address vulnerabilities in SAP solutions. The average CVSS score was 5.9. Approximately 1 in 4 of the notes were categorized as hot news or high priority. This article reviews the most important security notes of 2024, based on CVSS score. Hot news notes should be prioritized for implementation. Often, workarounds included in some notes can be applied to mitigate risks if the corrections cannot be applied immediately.
Note 3479478 [CVE-2024-41730] is the one of the highest rated notes of 2024 with a CVSS score of 9.8. The note patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by attackers to compromise logon tickets using a REST endpoint if Single Sign-On is enabled. The property Trusted_Auth_Shared_Secret can be set to Disabled in the effected files to mitigate the vulnerability if BOBJ cannot be upgraded to the required patch level immediately.
Note 3455438 also has a CVSS score of 9.8. The note addresses code injection and remote code execution vulnerabilities in open-source components bundled in SAP CX Commerce. This includes API tools in Swagger UI and database drivers in Apache Calcite Avatica. The solutions referenced in the note remove the vulnerable components in Swagger UI and upgrade Apache Calcite Avatica to the recommended version. There are no workarounds.
Note 3448171 patches CVE-2024-33006 for a critical file upload vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). The CVE is rated 9.6. The vulnerability can be exploited to bypass malware scanning and completely compromise SAP systems. The correction and workaround detailed in the note apply signature checks for the FILESYSTEM and SOMU_DB content repositories. The vulnerability impacts most version of the SAP_BASIS component in AS ABAP.
Note 3425274 [CVE-2019-10744] patches a code injection vulnerability in SAP Build Apps. The vulnerability arises from specific versions of the Lodash open-source JavaScript library used for programming tasks included in SAP Build Apps. Applications should be rebuilt with version 4.9.145 or later to prevent the vulnerability.
SAP Build Apps is also vulnerable to CVE-2024-29415, a severe Server-Side Request Forgery (SSRF) vulnerability detailed in note 3477196.
Note 3536965 [CVE-2024-47578] addresses SSRF and information disclosure vulnerabilities in Adobe Document Services of SAP NetWeaver AS for JAVA (AS Java). Updating the ADSSAP software component to the recommended patch level will remove the vulnerabilities in the relevant web applications and services in AS Java.
Note 3433192 [CVE-2024-22127] deals with a code injection vulnerability in the Administrator Log Viewer plug-in of AS Java. The vulnerability requires administrative privileges for successful exploitation. Therefore, restricting the use of the Administrators role can mitigate the vulnerability.
Note 3420923 [CVE-2024-22131] patches a vulnerable RFC service in AS ABAP to prevent a critical code injection vulnerability. The workaround in the note recommends restricting access to function modules for CA-SUR using authorization object S_RFC.
Other important notes include 3413475 for multiple CVEs in SAP Edge Integration Cell and 3412456 [CVE-2023-49583] which addresses an escalation of privileges vulnerability in node.js applications created using SAP Business Application Studio, SAP Web IDE Full-Stack or SAP Web IDE for SAP HANA.
