Layer Seven, Author at Layer Seven Security

Key Security Findings from the RISE with SAP 2025 Benchmark Report

Layer Seven on December 17, 2025

SAPinsider’s RISE with SAP 2025 benchmark report, co-sponsored by Layer Seven Security, was released in December. Based on a survey of 122 SAPinsider community members conducted between August and November 2025, the study focuses on customer adoption of SAP Cloud ERP Private (formerly referenced in the survey as RISE with SAP) and the factors shaping migration decisions. From a security standpoint, the most material finding is broad customer non-compliance with the shared model of responsibility, and more specifically, failure to implement and sustain SAP’s mandatory security hardening requirements documented in relevant SAP notes for SAP systems operating in SAP’s cloud delivery model.

Broad Non-Compliance with Customer Security Responsibilities

The report identifies a significant gap between SAP’s cloud security expectations and customer execution. While SAP delivers and operates key elements of the cloud platform, customers remain accountable for critical security outcomes, including secure configuration, access controls, and compliance with SAP-defined hardening standards.

Two key findings stand out:

Less than half (45%) of respondents are aware of and actively following the shared responsibility model for SAP Cloud ERP Private security.
Approximately one-third are aware of the model but do not follow it rigorously, indicating that a majority of organizations either do not fully understand or are not consistently executing their responsibilities.

This is not a minor administrative gap. The report explicitly warns that failure to follow both the shared responsibility model and SAP’s mandatory hardening requirements leaves systems open to attack. For leadership teams, the implication is straightforward: cloud migration does not transfer accountability for SAP security outcomes to SAP. If required customer-side controls are not implemented and maintained, the organization bears the risk.

Hardening Requirements Are Frequently Missed

The report goes beyond general security awareness and points to a more specific and operational problem: customers running SAP Cloud ERP Private in SAP’s cloud delivery environment must comply with SAP’s mandatory security parameters and hardening requirements, as documented in relevant SAP notes for ABAP, HANA and Java systems and related components. This includes notes 3250501, 3480723 and 3381209.

The report underscores that non-compliance with these requirements materially increases exposure. In business terms, required hardening defines baseline expectations for how SAP systems must be configured to reduce preventable attack paths. Failure to apply those settings—consistently and over time—creates vulnerabilities that can persist in SAP solutions.

Compliance Is a Moving Target

A key challenge highlighted in the report is that SAP security compliance is not static. SAP regularly updates mandatory parameters and hardening guidance in response to new threats, vulnerabilities, platform changes, and evolving best practices. As a result, a system that was compliant at go-live may drift out of compliance over time even without major architectural change.

This creates a practical operational risk: compliance must be managed as an ongoing discipline, not a one-time implementation deliverable. Organizations need repeatable processes to track new and updated SAP security guidance, assess its applicability, validate their current posture, and remediate gaps across their SAP landscapes.

Business Risk of Non-Compliance: Support, Liability, and Exposure

The consequences of non-compliance extend beyond technical risk and into contractual and legal exposure:

Support risk: When hardening requirements and mandatory parameters are not implemented, incident response becomes more complicated. In high-severity security situations, customers may face delays and friction in diagnosis and remediation, and their position with SAP support can be weakened if the environment is not aligned with required security standards.
Legal and regulatory risk: In the event of a data breach, organizations are often required to demonstrate that they followed vendor-prescribed security requirements and reasonable security practices. If an organization cannot demonstrate compliance with SAP’s documented security hardening guidance, it can weaken the company’s defensibility, increase regulatory scrutiny, and raise the likelihood of fines, penalties, litigation, and reputational harm. Ultimately, under a shared responsibility model, the customer retains accountability—and therefore liability—for customer-controlled security controls.

Additional Survey Indicators Relevant to Security Posture

Although the report is broader than security, several survey results reinforce the importance of establishing a robust cloud security operating model:

80% of respondents identify comprehensive monitoring to ensure system health and security as a key requirement for their ERP transformation and innovation initiatives.
79% indicate the need for best-practice compliance checks that avoid outages, underscoring that organizations see compliance and stability as tightly linked.

These findings align with the report’s security message: maintaining control effectiveness requires continuous monitoring and governance, not periodic reviews.

How the Cybersecurity Extension for SAP from Layer Seven Security Addresses These Challenges

The report’s core security finding—customer non-compliance with evolving security requirements—directly aligns with the capabilities of Layer Seven Security’s Cybersecurity Extension for SAP. The solution is designed to help organizations operationalize their security responsibilities in SAP RISE / Cloud ERP environments where configuration, compliance, and threat conditions change over time.

At a business level, it supports three outcomes:

Continuous monitoring against current hardening requirements: Automated checks against SAP security baselines help identify non-compliance as SAP standards evolve, rather than relying on periodic manual reviews.
Reduced risk from compliance drift: Ongoing visibility into configuration posture helps prevent gradual degradation of security controls due to system change, integration expansion, or operational turnover.
Improved audit and support readiness: Continuous evidence of compliance strengthens governance, improves audit defensibility, and supports more effective engagement during incidents and escalations.

This approach acknowledges the operational reality emphasized by the report: compliance is a moving target, and organizations need a sustainable mechanism to remain aligned to SAP’s required security standards.

Key Takeaways

The most significant security issue identified in the SAPinsider RISE with SAP 2025 report is customer non-compliance. A majority of organizations are not fully executing their responsibilities under the shared security model, and the most consequential example is failure to comply with SAP’s mandatory hardening requirements documented in SAP notes. Because these requirements evolve over time, compliance must be treated as an ongoing operational discipline—supported by clear accountability, continuous monitoring, and repeatable remediation processes—to reduce operational, legal, and reputational risk in SAP Cloud ERP Private environments.

The full benchmark findings will be presented by Robert Holland, Vice President and Research Director at SAPinsider, on Tuesday, January 13, 2026. You can register for the webinar at SAPinsider.

SAP Security Notes, December 2025

Layer Seven on December 12, 2025

Hot news note 3685270 patches a code injection vulnerability in SAP Solution Manager (CVE-2025-42880). The vulnerability impacts all support pack levels for Solution Manager 7.2 (SolMan). The patch introduces input validation to secure the relevant vulnerable remote-enabled function module. Customers should consider migrating application monitoring and lifecycle management functions to SAP Cloud ALM and decommission Solution Manager (SolMan) installations. The end of maintenance for SolMan is scheduled for December 31, 2027. SolMan is no longer required for the Cybersecurity Extension for SAP.

Hot news note 3685286 addresses a critical deserialization vulnerability in SAP jConnect – SDK for ASE (CVE-2025-42928). The vulnerability can be exploited by attackers execute malicious code. The solution disables the serialization and deserialization of vulnerable input values in SAP jConnect for JDBC Driver. The note includes patches for SAP ASE versions 16.0 and 16.1.

Hot news note 3683579 delivers fixes for multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud (CVE-2025-55754 and CVE-2025-55752).

Note 3684682 addresses a high risk information disclosure vulnerability in the SAP Web Dispatcher and Internet Communication Manager (ICM) (CVE-2025-42878). The vulnerability can lead to the exposure of internal testing interfaces that are not intended for production. The parameter icm/HTTP/icm_test_<x> should be removed from system profiles to mitigate the vulnerability. This includes DEFAULT and instance profiles.

Note 3677544 patches a memory corruption vulnerability in SAP Web Dispatcher, ICM and SAP Content Server (CVE-2025-42877).

Note 3640185 fixes a Denial of service (DOS) vulnerability in the remote service for Xcelsius in SAP NetWeaver (CVE-2025-42874). The service allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control.

Note 3672151 patches a missing authorization check impacting the General Ledger in the Financial module of SAP S/4HANA (CVE-2025-42876). The vulnerability could enable an attacker with access to a single company code to read sensitive data and post or modify documents across all company codes.

What’s New in the Cybersecurity Extension for SAP Version 2.0

Layer Seven on November 26, 2025

Building upon the successful release of the initial version of the NetWeaver Edition of the Cybersecurity Extension for SAP earlier this year, Layer Seven Security is pleased to announce the upcoming availability of version 2.0. The new release includes important enhancements including support for SAP NetWeaver AS Java, anomaly detection to identify unusual or suspicious activity, the addition of more than 400 new threat detection patterns, and updates for SAP compliance frameworks including the SAP Security Baseline, S/4HANA Security Guide, and mandatory security requirements for SAP RISE / Cloud ERP. The enhancements significantly improve protection for business-critical SAP solutions against advanced cyber threats.

SAP NetWeaver AS Java

The new release of the Cybersecurity Extension for SAP provides coverage for SAP NetWeaver AS Java solutions such as the SAP Enterprise Portal, Process Orchestration (PO) / Process Integration (PI), SAP Solution Manager, and SAP Identity Management (SAP IdM). Version 2.0 supports vulnerability management for AS Java systems including components such as the Gateway Server, Message Server, and Internet Communication Manager (ICM). It also supports the automated discovery of relevant SAP Security Notes for AS Java systems. This includes SAP Java notes for Known Exploited Vulnerabilities (KEV) reported by the U.S Cybersecurity and Infrastructure Security Agency (CISA). Finally, the new release supports monitoring for AS Java logs to detect and alert for security incidents such as user and role changes, system changes, calls for vulnerable servlets including the invoker servlet, and patterns to detect the potential exploitation of AS Java vulnerabilities such as RECON, Log4J and the recent vulnerability detailed in CVE-2025-31324, impacting the SAP NetWeaver Visual Composer Metadata Uploader.

Anomaly Detection

Anomaly detection is a powerful method for detecting potential zero-day attacks without known signatures, brute force attacks, and advanced persistent threats that are difficult to detect using conventional pattern matching techniques. It can also detect insider threats such as privilege abuse or escalation, fraud, and suspicious user actions that deviate from normalized patterns of behavior. Although the Solution Manager Edition of the Cybersecurity Extension for SAP supported anomaly detection for SAP solutions, this feature was not included in the initial release of the NetWeaver Edition. Version 2.0 includes full enablement of anomaly detection in the NetWeaver Edition.

Threat Detection

Version 2.0 of the Cybersecurity Extension for SAP includes a significant increase the volume of threat detection patterns for SAP solutions. It delivers more than 400 new patterns to detect Indicators of Compromise (IOC) in various SAP logs. This includes calls to vulnerable function modules and reports, suspicious file downloads, access to critical tables, directory traversal exploits, and dangerous transaction starts. The addition strengthens the position of the Cybersecurity Extension for SAP as the leading threat detection solution for SAP solutions in terms of coverage. The most recent version of the solution includes more than 1500 threat detection patterns. In comparison, the current version of SAP Enterprise Threat Detection (ETD) includes approximately 200 patterns.

SAP Security Compliance

The Cybersecurity Extension for SAP automates compliance audits for SAP solutions. The solution discovers compliance gaps against multiple security frameworks including GDPR, NIST, SOX and PCI-DSS. It also monitors compliance with SAP security standards such as the SAP Security Baseline, the Security Guide for SAP S/4HANA, and mandatory security requirements for SAP RISE / Cloud ERP solutions defined by SAP Enterprise Cloud Services (ECS). Version 2.0 aligns compliance checks with the latest SAP benchmarks. This includes version 2.6 of the SAP Security Baseline and the Security Guide for SAP S/4HANA 2025. In addition to updating checks for ABAP solutions defined in the latest version of note 3250501, the new version extends coverage for SAP RISE / Cloud ERP checks to include SAP HANA and SAP AS Java solutions. The requirements for these areas are defined in SAP notes 3480723 and 3381209.

What to Expect in Version 3.0

Key updates for the next release of the NetWeaver Edition of the Cybersecurity Extension for SAP include:

Support for SAP BTP and SAP Cloud Connector
Support for SAProuter and Web Dispatcher
Support for RHEL & SUSE OS monitoring including vulnerability scanning and log monitoring
Email notifications for security alerts
Report automation including scheduling and distribution

The updates will align the capabilities of the NetWeaver Edition with the Solution Manager Edition, enabling existing customers to transition smoothly to the latest platform without any loss in coverage or functionality.

Looking Ahead to 2026

Next year’s roadmap for the Cybersecurity for SAP includes planned enhancements that will improve the user experience and reinforce it’s standing as the leading cybersecurity solution for SAP systems. This includes:

Support for SAP SuccessFactors
Support for SAP S/4HANA Public Edition
Data Loss Protection (DLP) including threat detection patterns and alerts for unauthorized access to sensitive data in SAP solutions
Extended checks for critical access and segregation of duties in SAP S/4HANA including a dedicated application to support cross-application user access and role analysis

We extend our best wishes for a Happy Thanksgiving to our customers in the United States and look forward to supporting you in the months ahead.

SAP Security Notes, November 2025

Layer Seven on November 11, 2025

Hot news note 3666261 patches a critical code execution vulnerability in SAP SQL Anywhere. The correction removes the SQL Anywhere Monitor. The note recommends switching to the SQL Anywhere Cockpit for database administration.

Hot news note 3668705 addresses a code injection vulnerability in SAP Solution Manager arising from missing input validation for a vulnerable remote-enabled function module. The correction removes the vulnerability by sanitizing input entry, including rejecting some non-alphanumeric characters.

Note 3660659 was updated for a critical insecure deserialization vulnerability in SAP NetWeaver AS Java. Corrections now include the prerequisite note 3670067 to increase the character limit in configuration values for VM properties. Additional hardening suggestions for optional classes and packages were also added to the note.

Note 3633049 patches a high-risk memory corruption vulnerability in the CommonCryptoLib – SAP Common Cryptographic Library (CCL). CCL supports encryption, validation of digital certificates, and other functions in SAP solutions including NetWeaver AS ABAP and SAP HANA. The vulnerability can be exploited by attackers to trigger a denial of service. The correction improves boundary checks to prevent buffer overflows. CommonCryptoLib installations should be upgraded to version 8.5.60 or higher. CCL is included in some SAP components. The impacted components should also be upgraded to address the vulnerability. Note 3628110 includes details of the relevant components and recommended versions.

Penetration Testing for SAP RISE / SAP Cloud ERP

Layer Seven on October 29, 2025

As enterprises increasingly migrate to S/4HANA Cloud platforms as part of SAP RISE/ Cloud ERP transformations, the need to secure these mission-critical environments has never been greater. SAP cloud solutions manage essential financial, operational, and human resource data, forming the digital backbone of organizations. While SAP provides a robust infrastructure with built-in security controls, customers are responsible for securing their own configurations, integrations, and extensions as part of a shared model of responsibility for security. Penetration testing is therefore a critical step in validating the effectiveness of these security measures.

Cloud ERP systems expand the traditional attack surface by integrating with third-party applications, partners and APIs. Even a single insecure interface or misconfigured role can allow unauthorized access to sensitive data or processes. Penetration testing provides a proactive mechanism to identify such weaknesses before they are exploited. It helps to verify cloud configurations meet security best practices, network segmentation is properly enforced, and custom developments or business add-ons do not introduce vulnerabilities.

Regular penetration testing validates that monitoring and alerting tools are capable of detecting and containing cyber threats. For organizations subject to compliance frameworks such as SOX, GDPR, or ISO 27001, penetration testing also provides essential evidence of due diligence.

A typical penetration test for SAP RISE / Cloud ERP follows a structured methodology:

Planning and Scoping
The testing team works with business and IT stakeholders to define the scope including systems, integrations, network zones, and user roles. This stage also includes obtaining formal approval from SAP ECS (Enterprise Cloud Services) to perform testing in RISE environments.

Coordination with SAP ECS
Although penetration tests are performed by external security service providers, they must be closely coordinated with SAP ECS. Because SAP RISE / Cloud ERP environments are managed by SAP ECS, customers cannot conduct testing independently. Instead, a Penetration Test Request must be submitted through the SAP support portal under component BC-OP-RC-ECS, typically at least six weeks in advance. The request must specify:

The purpose and objectives of the test
The systems or tenants involved
The testing provider (internal or external)
Expected timeline and test methods

SAP ECS reviews the request to ensure that testing will not affect shared infrastructure or violate service-level agreements. Once approved, SAP coordinates scheduling, network access, and monitoring to support the testing.

Rules of Engagement for SAP RISE
SAP enforces specific Rules of Engagement (RoE) for all penetration tests in RISE / Cloud ERP environments. Key requirements include:

Testing for only customer managed layers. This includes application configuration, extensions, and custom code. Direct testing of the SAP-managed infrastructure or platform components is not permitted.
Testing must be non-disruptive and conducted within agreed maintenance windows. Denial-of-service (DoS) or destructive payloads are prohibited.
All vulnerabilities discovered must be reported confidentially to SAP ECS, following SAP’s responsible disclosure process.
External testers must sign SAP’s Non-Disclosure and Penetration Test Agreement before gaining access.

Assessment and Exploitation
Authorized testers use both automated tools and manual techniques to identify vulnerabilities in application configurations, user privileges, and exposed interfaces. This may include attempts to escalate privileges, bypass access controls, or extract sensitive data within approved boundaries.

Reporting and Remediation
The final report details vulnerabilities, their risk levels, and recommended mitigation steps. SAP ECS may review findings that affect managed components, while customer teams focus on remediating application-layer issues.

Penetration testing is an indispensable component for ensuring the resilience of SAP systems and components in RISE / Cloud ERP environments. By simulating attack scenarios, it provides tangible assurance that security controls are effective and vulnerabilities are promptly addressed. When performed in coordination with SAP ECS under formal rules of engagement, penetration testing not only strengthens the customer’s security posture but also reinforces the shared-responsibility model that underscores SAP’s cloud ecosystem. Regular, well-governed testing ensures that organizations maintain the confidentiality, integrity, and availability of their most critical SAP resources in the cloud.

Layer Seven Security is an approved SAP Services Partner. We offer a range of services and solutions to help secure SAP solutions in RISE/ Cloud ERP. This includes Penetration Testing for SAP and automated audits to identify compliance gaps against mandatory security and hardening requirements for SAP RISE/ Cloud ERP solutions defined by SAP ECS.

SAP Security Notes, October 2025

Layer Seven on October 14, 2025

Hot news note 3634501 patches a critical insecure deserialization vulnerability in SAP NetWeaver AS Java. The vulnerability can be exploited by attackers to execute arbitrary OS commands. The patch updates the affected P4-Lib component to enforce secure deserialization handling and restrict the acceptance of untrusted Java objects via the RMI-P4 module. As a workaround, network access to the P4 and P4S ports in AS Java should be restricted.

Hot news note 3660659 addresses another insecure deserialization vulnerability in AS Java. The correction in the note blocks vulnerable JDK and third-party classes to prevent exploitation of the vulnerability. A workaround is included in the note for older versions of AS Java that are no longer maintained by SAP. The workaround involves applying the parameter jdk.serialFilter to restrict which classes can be deserialized.

Note 3630595 fixes a high-risk directory traversal vulnerability in SAP Print Service (SAPSprint). The correction in the note improves validation for path information provided by users to prevent attackers traversing parent directories and compromising system files.

Note 3647332 patches an unrestricted file upload vulnerability in SAP Supplier Relationship Management. The note enhances checks for MIME types and file extensions to prevent the uploading of malicious files such as malware.

Other important security fixes include note 3664466 for a denial of service vulnerability in SAP Commerce Cloud and note 3658838 for a code execution vulnerability arising from insecure versions of Apache CXF libraries in SAP Data Hub Integration Suite that can be exploited to supply malicious RMI/LDAP endpoints.

Workarounds for SAP Security Notes

Layer Seven on September 24, 2025

Corrections for Common Vulnerabilities and Exposures (CVEs) impacting SAP solutions are delivered via patch day notes and support packages released through the SAP Support Portal. In most cases, the corrections include automated fixes that are applied as updates or upgrades for impacted software components. Applying the automated fixes is the preferred method for addressing SAP CVEs. However, in some cases, it may not be possible to apply an automated fix. The corrections may have adverse side effects such as disabling or removing required services, programs or features. There may also be challenges related to applying prerequisite notes required to implement corrections. Corrections may require extensive testing or downtime, and it may not be possible to allocate the resources or schedule maintenance windows. Lastly, customers may not have access to corrections if, for example, their SAP solutions are supported and maintained by third parties instead of SAP.

For these reasons, it is often necessary to identify and apply workarounds for SAP CVEs. While SAP provides workarounds for some CVEs, primarily for critical hot news security notes, the majority of SAP CVEs do not include workarounds. However, it is often possible to identify potential workarounds by analysing the details of each note. Often details of impacted programs, reports, function modules, services, or other objects are reported in the Symptom and Solution sections of notes. Object names may also be disclosed in supporting FAQs for security notes, if available.

The section for Common Vulnerability Scoring System (CVSS) may also include indicators for potential workarounds. SAP provides a CVSS score for each note based on the values for each key in the framework. The values are included in the CVSS section. The vector string that includes values for each key are also disclosed in CVE databases. Values such as Local (L) for Attacker Vector (AV) may indicate that local access is required for vulnerability exploitation. In this case, network and host firewalls may be sufficient to block external access to SAP ports and services. The value High (H) for Privileges Required (PR) may suggest that administrative privileges are required and therefore restricting administrative access may mitigate the vulnerability.

Network filtering using firewalls and managing roles and authorizations are examples of workarounds that can be applied to address SAP CVEs. Other actions may include disabling vulnerable objects, and modifying system settings such as profile parameters to harden SAP systems and eliminate or lessen the exposure to vulnerabilities.

Monitoring and responding to indicators of compromise may also mitigate the risk of some CVEs. Based on the analysis of SAP notes, it may be possible to build and apply patterns for SAP logs using SIEM solutions to detect and alert for the potential exploitation of CVEs.

The Cybersecurity Extension for SAP automates the discovery of required SAP security notes based on installed software components and versions in each relevant system. It also includes workarounds for notes where customers are not able to implement automated corrections from SAP. The solution also includes patterns for detecting and alerting for the exploitation of SAP CVEs. Alerts can be forwarded to SIEM solutions for centralized security monitoring and incident response.

SAP Security Notes, September 2025

Layer Seven on September 11, 2025

Hot news note 3634501 patches a critical insecure deserialization vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java. The vulnerability can be exploited to perform arbitrary OS commands that could lead to the full compromise of AS Java systems. As a result, the vulnerability has a CVSS rating of 10/10. Since the vulnerability impacts the proprietary SAP P4 protocol, the patch provided in note 3634501 enforces secure deserialization and restricts the acceptance of untrusted Java objects via the RMI-P4 module. Workarounds are also provided in the note to bind the P4 listening port to specific authorized hosts. This is performed using the HOST field for profile parameter icm/server_port_<xx>. Restricting client connections to the ICM are also recommend using an Access Control List (ACL) also specified using the same parameter. The path for the ACL file should be defined using the ACLFILE option for icm/server_port_<xx>. Entries in the ACL file should follow the following syntax:

<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]

The following deny entry is recommend as the last rule in the ACL.

deny 0.0.0.0/0 # deny the rest

Hot news note 3643865 removes an unrestricted file upload vulnerability in AS Java that could be exploited to execute malicious code in files. The vulnerability impacts all versions of AS Java. However, the note only provides a fix for specific support pack levels of version 7.50. Earlier versions are no longer maintained by SAP. For earlier versions, Knowledge Based Article (KBA) 3646072 includes a workaround for the vulnerability that involves disabling the vulnerable Deploy Web Service component by adding a startup filter.

Hot News note 3627373 provides a solution for a missing authentication check in SAP NetWeaver installations using IBM i operating systems. Installations using other operating systems are not effected by the vulnerability. SAP System IDs (SIDs) are impacted if they are sharing the same logical partition (LPAR) with other SIDs. Therefore, a possible workaround is to partition SIDs in separate LPARs. This will prevent the sharing of server resources such as CPU, memory and storage across multiple virtualized environments.

Notes 3635475 and 3633002 patch high-priority input validation vulnerabilities in SAP S/4HANA and SAP Landscape Transformation. The vulnerabilities could be exploited to delete the contents of database tables that are not protected by authorization groups.

Other high priority notes include note 3581811 for a directory traversal vulnerability in SAP NetWeaver and 3642961 for a information disclosure vulnerability in SAP Business One.

Layer Seven Security Named Top SAP Cybersecurity Protection Solution 2025

Layer Seven on August 26, 2025

We are pleased to announce the Cybersecurity Review has selected the Cybersecurity Extension for SAP from Layer Seven Security as the Top SAP Cybersecurity Solution 2025. The international publication with almost 300,000 subscribers worldwide performed a detailed review of several solutions that provide cybersecurity coverage for SAP applications and infrastructure. This included solutions offered by providers such as Onapsis, Security Bridge, and Pathlock, as well as SAP solutions such as Enterprise Threat Detection (ETD) and Code Vulnerability Analyzer (CVA). The criteria included coverage and capabilities for areas such as SAP vulnerability management, compliance reporting, patch management, custom code security, threat detection and response, and anomaly detection.

Other criteria included certification, deployment complexity and effort, maintenance, customer support, customization, integration with SIEM and incident management solutions, support for SAP RISE customers, user experience, and product roadmap. Licensing costs were also an important criteria given the recent drive for greater efficiency and lower costs in organizations.

The Cybersecurity Extension for SAP emerged as the leading solution across most of the criteria, specifically in areas such as coverage, support and licensing costs.

Coverage – The Cybersecurity Extension for SAP is the only solution in the market that delivers coverage for SAP vulnerability management, compliance reporting, patch management, custom code security, threat detection and response, and anomaly detection through a single integrated solution with a unified license. Other solutions require separate solutions or licenses for modular products. Some vendors such as SAP do not offer solutions for areas such as compliance reporting, patch management and vulnerability management.

The Cybersecurity Extension for SAP also provides deeper coverage across the domains with higher volumes of checks and patterns for vulnerability and threat detection than competitors.

The ability of the solution to support database and operating system security for SAP systems was also identified as a key differentiator. The Cybersecurity Extension supports full-stack monitoring for SAP systems, whereas most alternative solutions support only the application layer. This provides Layer Seven Security with an advantage in areas such as ransomware protection.

Certification – Earlier versions of the Cybersecurity Extension for SAP were certified for integration with SAP NetWeaver platforms. However, since the certification was discontinued by SAP, the solution is now certified for SAP HANA. The certification is performed by the SAP Integration and Certification Center and includes code reviews and testing performed by SAP.

Deployment Complexity and Effort – The Cybersecurity Extension for SAP benefits from a simplified architecture that does not require additional infrastructure including servers. This supports rapid deployment. The solution can be deployed as an addon to existing SAP systems including SAP GRC, BW, ECC, and S/4HANA. It can also be deployed to standalone SAP NetWeaver AS ABAP installations. The required addons are installed and configured within a few hours directly by SAP Basis administrators. Alternative solutions required additional servers and complex, time-intensive installation steps.

Maintenance – Content updates are provided by Layer Seven Security every month for new patches, vulnerability checks, and threat detection patterns. The updates can be performed in under 5 minutes with a few simple steps. Addon updates are provided on a quarterly cycle and include functional enhancements. They are applied using standard SAP steps for addon updates.

Customer Support – According to the Cybersecurity Review, customers singled out customer support as one of the strengths of Layer Seven Security. Customers commended the responsiveness of Layer Seven and valued the ability to reach out directly to dedicated engineers and developers without the need to go through regular support channels.

Customization – Layer Seven Security was also acknowledged by customers for their responsiveness to enhancement requests and customizations. Requests were handled promptly and implemented swiftly, often without any additional charges.

SIEM/ Incident Management Integration – The Cybersecurity Extension for SAP supports seamless integration with a wide variety of Security Information and Event Management (SIEM) solutions including Splunk, QRadar, Sentinel and LogRhythm. Integration is simple and straightforward and flexible to accommodate to multiple scenarios. Integration with service desk solutions such as ServiceNow and Remedy is also supported.

Support for RISE – The addon approach was found to be particularly suitable for SAP RISE scenarios. Customers can deploy and maintain the addon directly to SAP RISE systems without the support of SAP Enterprise Cloud Services (ECS). Furthermore, customers do not need to request the provisioning and maintenance of additional infrastructure from SAP ECS.

User Experience – The Cybersecurity Extension for SAP provides an integrated user interface using SAP Fiori. The Fiori-based applications provide a consistent and intuitive experience for SAP users since they follow the identical design principles of standard SAP applications. SAP users can navigate effortlessly through the solution and extend and personalize the user experience.

Product Roadmap – The three-year roadmap for the Cybersecurity Extension for SAP was found to be well aligned with the evolving needs of SAP customers, particularly in the area of support for SAP cloud services such as BTP, SuccessFactors, and Cloud ALM.

Licensing Costs – Despite the leading position commanded by Layer Seven Security in areas such as coverage, deployment, maintenance, support, and user experience, the Cybersecurity Solution for SAP was found to be one of the most competitively priced solutions in the market. Licensing costs were considerably lower than alternatives including Onapsis and Security Bridge. Licensing was also more transparent and did not include hidden fees and up-charges. Overall, the Cybersecurity Review determined that the Cybersecurity Extension for SAP offered the optimal cybersecurity protection for SAP solutions with the lowest total cost of ownership.

An official announcement by the Cybersecurity Review is expected in the coming weeks of the selection of the Cybersecurity Extension for SAP as the official Top SAP Cybersecurity Solution 2025. The management team at Layer Seven Security would like to recognize the dedication and efforts of all employees for the acknowledgment and the continued support of our customers and partners.

SAP Security Notes, August 2025

Layer Seven on August 20, 2025

Hot news notes 3581961 and 3627998 patch critical code injection vulnerabilities in SAP S/4HANA. Both notes have CVSS scores of 9.9/10. The vulnerabilities impact the function modules /SLOAP/GEN_MODULE_REPORT and /SLOAE/DEPLOY that can be exploited to install backdoors that bypass authorization checks. The function modules are used for reporting and analysis and are included in S4CORE.

Note 3633838 patches an equally critical code injection vulnerability in the Analysis Platform of SAP Landscape Transformation.

Note 3611184 addresses high risk memory corruption and reflected cross-site scripting (XSS) vulnerabilities in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities impact BIC documents used for batch processing. As a workaround, the BIC ICF service can be deactivated using transaction SICF.

Note 3602656 patches a privilege escalation vulnerability in NetWeaver AS ABAP by improving permissions for the barcode interface using authorization object S_WFAR_OBJ.

Note 3601480 provides a kernel patch to prevent the logging of sensitive tokens in HTTP logs for the Internet Communication Manager (ICM) in NetWeaver AS ABAP. The vulnerability can also be addressed by avoiding the use of specific log formats using profile parameter icm/HTTP_logging_0.