Layer Seven Security

Now on SAP BTP: Access the Cybersecurity Extension for SAP on SAP Build Work Zone

Layer Seven on March 25, 2026

The Cybersecurity Extension for SAP provides an SAP Fiori user experience that is usually deployed using the embedded Fiori model. The embedded model combines backend and frontend components in the same system. The model reduces landscape complexity, removes external communication for service calls, and can improve response times and stability. From an operations perspective, the embedded model usually means fewer systems to maintain, monitor, and secure. It also simplifies lifecycle management, because Fiori components are deployed together with the backend environment in the same system instead of being maintained on a separate hub.

The downside of the embedded model is that frontend applications are constrained by the limitations of backend systems. This can hold back innovation and the adoption of new capabilities in SAP Fiori applications. For example, the use of Horizon themes in SAP Fiori for a more consistent, unified user experience aligned with SAP cloud services is only possible with higher versions of SAPUI5. Solutions such as ECC cannot support Horizon themes with the embedded model.

SAP BTP overcomes the limitations of the embedded model by providing a separate cloud-based platform for Fiori applications that is not constrained by backend SAP systems. This not only supports improvements for the user experience, it also aligns with SAP’s strategy for a clean core by moving customizations from SAP systems to cloud extensions. A clean core leads to more stable SAP environments that are easier to maintain and upgrade.

Deploying Fiori applications to SAP BTP also enables organizations to benefit from services available in SAP AI Core and Generative AI Hub for AI-driven analysis, predictive capabilities, and workflows. This includes capabilities such as intelligent summaries, faster identification of unusual activity, personalized recommendations, and more intuitive, conversational user experiences.

In addition to the ability to deploy directly to SAP systems using the embedded approach, the Cybersecurity Extension for SAP can now also be deployed to SAP Build Work Zone running in the SAP BTP Cloud Foundry environment. The steps are summarized below and typically take around 45 minutes to perform.

Preparation

Prepare your SAP BTP landscape. Start by creating or confirming the subaccount in SAP BTP Cockpit. In the global account, choose Create, provide an account name, select the appropriate region, and finalize creation. Once the subaccount is created, complete the mandatory configuration. First, verify the Cloud Connector connection is properly attached to the subaccount and the connection status shows as established. Next, confirm a destination named backend is present.  Principal Propagation is recommended as the authentication method for a trusted setup between ABAP systems and SAP BTP. Then, ensure your Cloud Foundry environment is provisioned. Create the Cloud Foundry instance (if needed) and create at least one space for deployments. Finally, validate entitlements and subscriptions for SAP Build Work Zone. At the global account level, assign the Work Zone entitlement to the target subaccount, then create (or confirm) an active subscription. As a last prep step, assign the required admin role to the operator who will configure the launchpad. For example, the Launchpad_Admin role collection.

Installation

The Cybersecurity Extension for SAP is delivered as an .mtar archive and is deployed via Cloud Foundry, so your workstation needs the right tools. Install the SAP (Cloud Foundry) CLI, then add the HTML5 applications repository plugin.

Deploy the package to the subaccount. Move the provided .mtar file into a working folder and open a command line in that directory. Log in to the correct Cloud Foundry org/space using cf login, following the prompts for credentials and selecting the target space. With the session established, deploy the archive using cf deploy. When deployment completes, confirm the HTML5 apps were created by running cf html5-list. For a second confirmation path, open SAP BTP Cockpit, navigate into the subaccount, and check the HTML5 Applications area to see the deployed artifacts reflected in the UI.

Configuration

In the subaccount, open the SAP Build Work Zone subscription and launch the application. If no site exists yet, create one from the Work Zone entry point. Then update the default content channel (HTML5) in Channel Manager. Next, bring in the solution content. The fastest path is importing the provided L7S content .zip via Content Manager. After the import, you should see the required bundle of objects (apps, plus a group, page, space, role, and catalog).

Assign access for required users. Back in the subaccount, assign the L7S role collection to the intended business users. Then, in the Work Zone Site Directory, confirm the site’s role assignment includes the expected role. Open the site and logon with a user who has the L7S role. Enabling multifactor authentication (MFA) for BTP users is recommended. This can be performed using SAP Cloud Identity Services. The Cybersecurity Extension for SAP will be available in the launchpad once you logon. See below.

Click on the tile for the Cybersecurity Extension for SAP to launch the application and access the home screen below.

Layer Seven Security Achieves CyberSecure Certification

Layer Seven on March 16, 2026

Layer Seven Security has successfully achieved certification under the CyberSecure Canada program, reinforcing the company’s commitment to maintaining a strong cybersecurity posture and applying recognized baseline security controls across its operations. For customers that rely on SAP systems to support business-critical processes, the certification provides independent validation that Layer Seven Security operates within a structured cybersecurity framework aligned with a recognized assurance program.

CyberSecure was established by Innovation, Science and Economic Development (ISED) Canada as a national cybersecurity certification program intended to improve information security through the implementation of defined baseline controls. The program is based on cybersecurity controls developed from guidance published by the Canadian Centre for Cyber Security.

The controls are designed to address threat scenarios and organizational cyber risk through practical and measurable safeguards. The control areas include incident response and recovery, automated patching, endpoint protection, secure configuration of devices and systems, identity and access management, multi-factor authentication, employee cybersecurity awareness, backup protection, encryption, perimeter defence, mobile device protection, and the secure use of cloud services and outsourced information technology services. The controls establish a foundational security baseline intended to reduce the likelihood and impact of compromise, service disruption, data loss, and unauthorized access.

For SAP customers, the certification demonstrates that Layer Seven Security maintains robust internal security governance and operational safeguards. Certification under a government-backed national program provides assurance for vendor due diligence, third-party risk assessment, and procurement requirements.

For organizations that rely on Layer Seven Security to support SAP cybersecurity monitoring, compliance automation, and threat detection, the certification supports supply chain assurance and operational resilience. Certification provides customers with confidence in Layer Seven Security as a trusted cybersecurity partner operating within an independently validated control framework.

SAP Security Notes, March 2026

Layer Seven on March 10, 2026

Hot news note 3698553 patches a critical command injection vulnerability in Apache Log4j bundled in SAP Quotation Management Insurance. The package assembly for the FS-QUO-scheduler module of the application should be updated to a secure version. As a workaround, the Java archive file log4j-1.2.17.jar. can be deleted in the {FS-QUO-scheduler}/lib directory.

Hot news note 3714585 addresses an insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration. The vulnerability can lead to malicious remote code execution through the upload of user-supplied content. The fix in the note validates input before processing to secure deserialization logic. The fix is only available for NetWeaver AS Java 7.50. For earlier versions that are no longer maintained by SAP, please refer to note 3660659 – Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java. You can also restrict access to privileges that provide access to the vulnerable endpoint. This includes the UME group Administrators, UME role Administrator, and Portal roles super_admin_role, system_admin_role, and content_admin_role.

Note 3719502 patches a high-risk Denial of Service (DoS) vulnerability in SAP Supply Chain Management. The note applies input validation for calls to a specific vulnerable RFM to prevent excessive resource consumption. Calls to the vulnerable RFM are monitored by the Cybersecurity Extension for SAP.

The remaining 11 security notes released this month impact medium priority issues in various SAP products. This includes SSRF and missing authorization check vulnerabilities in SAP NetWeaver AS ABAP (notes 3689080,  3704740, and 3703856).

State-Sponsored Cyber Attacks: An Increasing Threat to SAP Solutions

Layer Seven on February 24, 2026

State-sponsored cyber attacks are an increasing threat to organizations amid rising geopolitical tensions. According to the 2025 State of Information Security Report, 88% of cybersecurity and information security leaders express concern over state-sponsored cyber attacks. The concerns are driven by recent dramatic increases in the volume of threat activity attributed to state sponsored threat actors.

According to the CrowdStrike 2025 Global Threat Report, China-nexus threat activity increased by 150% across sectors, with 200–300% increases in key industries including financial services, media, manufacturing, and engineering. CrowdStrike also identified seven new China-nexus adversaries, indicating broader and more specialized operations. The 2026 Global Threat Report reported a 266% increase in intrusions by state-nexus threat actors in cloud environments.

The 2025 Digital Defense Report from Microsoft identified a significant escalation in Russian state-linked cyber operations directed at NATO-aligned countries, reporting a 25% year-over-year increase in activity. The report indicates that Russian threat actors are prioritizing sectors with high intelligence and geopolitical value, including government, research and academia, and IT, reflecting a sustained effort to collect intelligence, shape decision-making, and support hybrid warfare objectives.

The 2025 M-Trends Report from Mandiant identified a 35% increase in malware attributed to Iran-nexus threat actors and 45 new malware strands attributed primarily to state-sponsored actors.

A 2026 report by the Google Threat Intelligence Group highlighted that nation state actors are not just targeting IT infrastructure within critical sectors, but often personally-identifiable information that can provide a pathway to targeting individuals.

The increase in nation-state cyber activity disproportionately impacts SAP environments that support mission-critical processes, store and process high-value data, and offer privileged integration paths to other critical solutions. Compromising SAP systems can enable state sponsored threat actors to perform espionage by accessing and exfiltrating sensitive data, and sabotage by interrupting the availability of critical resources. Breaches can also be used to pivot to connected systems and compromise internal and external supply chains.

The risks are amplified by the wide attack surface of many SAP solutions. This includes Application Programming Interfaces (APIs) that extend beyond internal network boundaries, cross-platform dependencies including database and OS platforms and middleware such as connectors, integration with federated identity providers, and internal trust relationships.

The risks are also increased by the volume of vulnerabilities in SAP solutions and challenges in patching SAP environments to address the root causes of vulnerabilities. According to the 2026 CrowdStrike Global Threat Report, 42% of vulnerabilities are exploited before public disclosure. Research released in 2025 indicated that threat actors are exploiting SAP security vulnerabilities within 72 hours of disclosure. The average time to apply security notes to patch SAP vulnerabilities in organizations is typically measured in weeks and months, rather than hours and days.

Nation-state actors often prefer access paths that blend into legitimate administrative behavior. In SAP landscapes, this can mean abuse of:

  • Trusted communications
  • Change management and system administration
  • Batch/background jobs
  • Transport processes
  • Service accounts
  • Remote support channels

Therefore, it is critical to identify and address:

  • Weakly governed RFC destinations, including over-privileged service users
  • Insecure, unencrypted RFC and web-based communications
  • Poorly restricted gateway registrations and access control for external program starts
  • Over-exposed ICF services
  • Unnecessary trusted system relationships
  • Excessive administrative privileges including broad RFC authorizations

In order to support detection, SAP telemetry should be integrated and correlated with telemetry from other endpoints to distinguish between normal SAP events and malicious actions. Also, anomaly-based monitoring is recommended to detect unusual system and user events.

The Cybersecurity Extension for SAP (CES) enables organizations to detect and respond to state-sponsored cyber threats in real time by combining continuous vulnerability management and threat detection for SAP solutions. CES is designed specifically for SAP landscapes (on-premise, cloud, and hybrid) and delivers real-time security intelligence to identify vulnerabilities and indicators of compromise in SAP applications and infrastructure. It monitors a broad set of SAP telemetry sources including SAP and infrastructure logs, providing security teams with deeper context than generic non-SAP specific tools that focus on network and host-level activity.

A key advantage for defending against advanced threats is the solution’s ability to reduce the attack surface to prevent exploitation. It performs scheduled scans for thousands of SAP vulnerabilities and misconfigurations, detects users with administrative privileges, and provides practical remediation guidance and workarounds to harden systems. CES also detects required SAP security notes including patches for Known Exploited Vulnerabilities for SAP in the CISA KEV catalog.

CES uses both pattern matching and anomaly detection to detect indicators of compromise in SAP solutions. Alerts for security incidents are integrated with enterprise SIEM platforms for cross-network analysis and correlation, enabling SOC teams to connect SAP activity with events from firewalls, endpoints, identity systems, and other infrastructure.

SAP Security Notes, February 2026

Layer Seven on February 11, 2026

Hot news note 3697099 patches a critical code injection vulnerability in SAP S/4HANA and SAP CRM. The vulnerability can be exploited by attackers to execute arbitrary SQL statements by calling function modules using the Scripting Editor. As a workaround, the Scripting Editor can be disabled by deactivating the service CRM_IC_ISE ICF in the sap/bc/bsp/sap service path.

Hot news note 3674774 addresses a critical missing authentication check impacting background RFCs in SAP NetWeaver AS ABAP. In addition to applying the recommended support package, profile parameter rfc/authCheckInPlayback should be set to the value 2 to enable stronger authorization checks for transactional (tRFC) and queued RFC (qRFC) calls.

Note 3697567 enhances verification procedures for the XML signatures to address an XML Signature Wrapping in NetWeaver AS ABAP. As a workaround, the vulnerable XML verification mechanisms can be avoided by disabling SAML and switching to alternative authentication methods.

Note 3705882 patches an information disclosure vulnerability in the ST-PI Addon installed in NetWeaver AS ABAP systems. The vulnerability can be exploited to obtain sensitive system information.

Notes 3674246, 3678282 and 3654236 address open redirect and denial of service vulnerabilities in SAP BusinessObjects.

Digital Operational Resilience Act (DORA) Compliance for SAP Solutions

Layer Seven on January 28, 2026

The Digital Operational Resilience Act (DORA) is a regulation that mandates standards for cybersecurity and operational resilience in the financial sector within the European Union (EU). It provides standards for governing risks in Information and Communications Technology (ICT) to ensure banks, insurers, investment firms, and other financial institutions are able to deliver critical services by effectively resisting, responding and recovering from ICT disruptions. The act took effect on January 17, 2025, with oversight from the European Supervisory Authorities EBA, ESMA, and EIOPA, to define and enforce technical standards for the regulation.

The Five Pillars of DORA

DORA’s core objective is to support the integrity and continuity of financial services against ICT risks including cyberattacks. The regulation includes the following five pillars:

  1. Risk Management: a comprehensive governance and control framework covering ICT asset inventory, protection, detection, response, recovery, backup, logging and monitoring, change management, and resilience-by-design.
  2. Incident Management and Reporting: consistent handling of ICT incidents and mandatory reporting of major incidents.
  3. Operational Resilience Testing: vulnerability assessments and penetration testing focused on critical functions.
  4. Third-Party Risk Management: oversight for ICT vendors and providers including outsourced services.
  5. Information Sharing: mechanisms to share cyber threat information and intelligence to strengthen sector-wide resilience.

The Impact of DORA for SAP Solutions

For many financial services organizations, SAP solutions support critical functions such as procurement and supplier operations, human resource management, and finance and controlling. Therefore, they are often part of the ICT fabric that must be governed, monitored, tested, and recoverable for DORA compliance. Under DORA, SAP solutions require tight integration with:

  • ICT Risk Governance, including the definition of key risk indicators and controls testing.
  • SOC Operations, including detection, triage, and handling of incidents.
  • Service Management, including approvals, evidence, and testing for changes.
  • Supplier Management, including managing hosting providers, system integrators, and external integrations such as APIs.  

DORA effectively obliges organizations to manage SAP solutions as regulated platforms, requiring baseline controls, continuous monitoring, regular patching, frequent testing, and periodic reporting.

DORA Compliance with the Cybersecurity Extension for SAP

The Cybersecurity Extension for SAP (CES) enables organizations to comply with DORA by identifying and managing ICT risks in SAP solutions, detecting and responding to security incidents, securing third party integrations, and verifying and reporting compliance with SAP security benchmarks. The solution supports compliance with each of the five pillars in DORA for SAP systems.

Pillar 1 – Risk Management

  • Continuous SAP security monitoring including the detection of security-related changes in SAP solutions.
  • SAP-specific vulnerability management including the detection of 5000+ security weaknesses in SAP.
  • Custom code security including the detection of 300+ vulnerabilities in custom ABAP programs and SAP UI5 / Fiori applications.
  • SAP patch management including the detection of relevant security notes and support packages.
  • Alignment to SAP-specific baselines and cloud hardening benchmarks including the SAP Security Baseline, security guidance for S/4HANA, and SAP RISE/ECS mandatory security requirements.

Pillar 2 – Incident Management and Reporting

  • Threat detection:  Detection and alerting for 1500+ Indicators of Compromise (IOC) in SAP solutions including application, database and host-level logs.
  • Risk-based prioritization of SAP alerts based on operational impact for rapid classification.
  • Standard operating procedures and workflows for investigating, tracking and reporting on incident investigations.

Pillar 3 – Operational Resilience Testing

  • Compliance monitoring and baseline checks to validate SAP hardening.
  • Threat detection exercises for SAP attack paths including privilege escalation, interface abuse, suspicious admin changes, and calls to critical SAP function modules, reports, services, and transactions.
  • Daily vulnerability scanning to support risk identification and mitigation.

Pillar 4 – Third-Party Risk Management

  • Visibility into external interfaces in SAP solutions including cloud connections.
  • Evidence for SAP RISE / managed-service security requirements.
  • Accountability for system integrators against SAP security standards.

Pillar 5 – Information Sharing

  • SAP-specific security intelligence including threat detection patterns, CVEs, and zero-day vulnerabilities.
  • Standardized reporting for information sharing with cross-functional teams and sector forums.

The Cybersecurity Extension for SAP supports digital resilience and DORA compliance by ensuring security for SAP solutions is measurable, monitored, and audit-ready. It provides continuous evidence evidence of SAP hardening, while strengthening operational resilience through incident detection, streamlined response, and reduced exposure to cyber risks.

SAP Security Notes, January 2026

Layer Seven on January 14, 2026

Hot news note 3687749 patches a critical SQL injection vulnerability that can be exploited to read, modify, and delete data used in the Financials component of SAP S/4HANA. The solution in the note prevents the injection of user-controlled input in SQL queries using input validation to remove the vulnerability. A workaround is also detailed in the note. Access to vulnerable function modules in function group FGL_BCF should be restricted using authorization object S_RFC. According to the note, the function modules are intended to be invoked only internally by the system as part of parallel processing and must not be callable via external RFC interfaces.

Hot news note 3694242 deals with another critical vulnerability in SAP S/4HANA that can be exploited to perform arbitrary ABAP code and OS commands and bypass authorization checks. The vulnerability effectively functions as a backdoor, leading to the risk of full system compromise. The correction in the note removes the vulnerable code. Although a workaround is not included in the note, it is possible to also use authorization object S_RFC to temporarily address the vulnerability by restricting access to the affected function group.

Note 3697979 addresses a similar critical ABAP code/OS command injection vulnerability in SAP Landscape Transformation.

Note 3668679 patches a remote code execution vulnerability in SAP Wily Introscope Enterprise Manager. The vulnerability can be exploited to execute commands in workstations using malicious JNLP (Java Network Launch Protocol) files accessible via URLs. Wiley Enterprise Manager should be upgraded to version 10.8 SP01 Patch 2 ([PRIVATE_IP].220) to remove the vulnerability.

Note 3691059 fixes a privilege escalation vulnerability in SAP HANA that can be exploited by attackers to gain administrative access to the database. The correction in the note prevents unauthorized user switching to remove the root cause of the vulnerability.

Notes 3675151 and 3688703 deal with high-risk OS command and missing authorization check vulnerabilities in SAP NetWeaver AS ABAP.

Note 3565506 addresses multiple vulnerabilities in the SAP Fiori Application Intercompany Balance Reconciliation. The impacted components include S4CORE in SAP S/4HANA.

Key Security Findings from the RISE with SAP 2025 Benchmark Report

Layer Seven on December 17, 2025

SAPinsider’s RISE with SAP 2025 benchmark report, co-sponsored by Layer Seven Security, was released in December. Based on a survey of 122 SAPinsider community members conducted between August and November 2025, the study focuses on customer adoption of SAP Cloud ERP Private (formerly referenced in the survey as RISE with SAP) and the factors shaping migration decisions. From a security standpoint, the most material finding is broad customer non-compliance with the shared model of responsibility, and more specifically, failure to implement and sustain SAP’s mandatory security hardening requirements documented in relevant SAP notes for SAP systems operating in SAP’s cloud delivery model.

Broad Non-Compliance with Customer Security Responsibilities

The report identifies a significant gap between SAP’s cloud security expectations and customer execution. While SAP delivers and operates key elements of the cloud platform, customers remain accountable for critical security outcomes, including secure configuration, access controls, and compliance with SAP-defined hardening standards.

Two key findings stand out:

  • Less than half (45%) of respondents are aware of and actively following the shared responsibility model for SAP Cloud ERP Private security.
  • Approximately one-third are aware of the model but do not follow it rigorously, indicating that a majority of organizations either do not fully understand or are not consistently executing their responsibilities.

This is not a minor administrative gap. The report explicitly warns that failure to follow both the shared responsibility model and SAP’s mandatory hardening requirements leaves systems open to attack. For leadership teams, the implication is straightforward: cloud migration does not transfer accountability for SAP security outcomes to SAP. If required customer-side controls are not implemented and maintained, the organization bears the risk.

Hardening Requirements Are Frequently Missed

The report goes beyond general security awareness and points to a more specific and operational problem: customers running SAP Cloud ERP Private in SAP’s cloud delivery environment must comply with SAP’s mandatory security parameters and hardening requirements, as documented in relevant SAP notes for ABAP, HANA and Java systems and related components. This includes notes 3250501, 3480723 and 3381209.

The report underscores that non-compliance with these requirements materially increases exposure. In business terms, required hardening defines baseline expectations for how SAP systems must be configured to reduce preventable attack paths. Failure to apply those settings—consistently and over time—creates vulnerabilities that can persist in SAP solutions.

Compliance Is a Moving Target

A key challenge highlighted in the report is that SAP security compliance is not static. SAP regularly updates mandatory parameters and hardening guidance in response to new threats, vulnerabilities, platform changes, and evolving best practices. As a result, a system that was compliant at go-live may drift out of compliance over time even without major architectural change.

This creates a practical operational risk: compliance must be managed as an ongoing discipline, not a one-time implementation deliverable. Organizations need repeatable processes to track new and updated SAP security guidance, assess its applicability, validate their current posture, and remediate gaps across their SAP landscapes.

Business Risk of Non-Compliance: Support, Liability, and Exposure

The consequences of non-compliance extend beyond technical risk and into contractual and legal exposure:

  • Support risk: When hardening requirements and mandatory parameters are not implemented, incident response becomes more complicated. In high-severity security situations, customers may face delays and friction in diagnosis and remediation, and their position with SAP support can be weakened if the environment is not aligned with required security standards.
  • Legal and regulatory risk: In the event of a data breach, organizations are often required to demonstrate that they followed vendor-prescribed security requirements and reasonable security practices. If an organization cannot demonstrate compliance with SAP’s documented security hardening guidance, it can weaken the company’s defensibility, increase regulatory scrutiny, and raise the likelihood of fines, penalties, litigation, and reputational harm. Ultimately, under a shared responsibility model, the customer retains accountability—and therefore liability—for customer-controlled security controls.

Additional Survey Indicators Relevant to Security Posture

Although the report is broader than security, several survey results reinforce the importance of establishing a robust cloud security operating model:

  • 80% of respondents identify comprehensive monitoring to ensure system health and security as a key requirement for their ERP transformation and innovation initiatives.
  • 79% indicate the need for best-practice compliance checks that avoid outages, underscoring that organizations see compliance and stability as tightly linked.

These findings align with the report’s security message: maintaining control effectiveness requires continuous monitoring and governance, not periodic reviews.

How the Cybersecurity Extension for SAP from Layer Seven Security Addresses These Challenges

The report’s core security finding—customer non-compliance with evolving security requirements—directly aligns with the capabilities of Layer Seven Security’s Cybersecurity Extension for SAP. The solution is designed to help organizations operationalize their security responsibilities in SAP RISE / Cloud ERP environments where configuration, compliance, and threat conditions change over time.

At a business level, it supports three outcomes:

  1. Continuous monitoring against current hardening requirements: Automated checks against SAP security baselines help identify non-compliance as SAP standards evolve, rather than relying on periodic manual reviews.
  2. Reduced risk from compliance drift: Ongoing visibility into configuration posture helps prevent gradual degradation of security controls due to system change, integration expansion, or operational turnover.
  3. Improved audit and support readiness: Continuous evidence of compliance strengthens governance, improves audit defensibility, and supports more effective engagement during incidents and escalations.

This approach acknowledges the operational reality emphasized by the report: compliance is a moving target, and organizations need a sustainable mechanism to remain aligned to SAP’s required security standards.

Key Takeaways

The most significant security issue identified in the SAPinsider RISE with SAP 2025 report is customer non-compliance. A majority of organizations are not fully executing their responsibilities under the shared security model, and the most consequential example is failure to comply with SAP’s mandatory hardening requirements documented in SAP notes. Because these requirements evolve over time, compliance must be treated as an ongoing operational discipline—supported by clear accountability, continuous monitoring, and repeatable remediation processes—to reduce operational, legal, and reputational risk in SAP Cloud ERP Private environments.

The full benchmark findings will be presented by Robert Holland, Vice President and Research Director at SAPinsider, on Tuesday, January 13, 2026. You can register for the webinar at SAPinsider.

SAP Security Notes, December 2025

Layer Seven on December 12, 2025

Hot news note 3685270 patches a code injection vulnerability in SAP Solution Manager (CVE-2025-42880). The vulnerability impacts all support pack levels for Solution Manager 7.2 (SolMan). The patch introduces input validation to secure the relevant vulnerable remote-enabled function module. Customers should consider migrating application monitoring and lifecycle management functions to SAP Cloud ALM and decommission Solution Manager (SolMan) installations. The end of maintenance for SolMan is scheduled for December 31, 2027. SolMan is no longer required for the Cybersecurity Extension for SAP.

Hot news note 3685286 addresses a critical deserialization vulnerability in SAP jConnect – SDK for ASE (CVE-2025-42928). The vulnerability can be exploited by attackers execute malicious code. The solution disables the serialization and deserialization of vulnerable input values in SAP jConnect for JDBC Driver. The note includes patches for SAP ASE versions 16.0 and 16.1.

Hot news note 3683579 delivers fixes for multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud (CVE-2025-55754 and CVE-2025-55752).

Note 3684682 addresses a high risk information disclosure vulnerability in the SAP Web Dispatcher and Internet Communication Manager (ICM) (CVE-2025-42878). The vulnerability can lead to the exposure of internal testing interfaces that are not intended for production. The parameter icm/HTTP/icm_test_<x> should be removed from system profiles to mitigate the vulnerability. This includes DEFAULT and instance profiles.

Note 3677544 patches a memory corruption vulnerability in SAP Web Dispatcher, ICM and SAP Content Server (CVE-2025-42877).

Note 3640185 fixes a Denial of service (DOS) vulnerability in the remote service for Xcelsius in SAP NetWeaver (CVE-2025-42874). The service allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control.

Note 3672151 patches a missing authorization check impacting the General Ledger in the Financial module of SAP S/4HANA (CVE-2025-42876). The vulnerability could enable an attacker with access to a single company code to read sensitive data and post or modify documents across all company codes.

What’s New in the Cybersecurity Extension for SAP Version 2.0

Layer Seven on November 26, 2025

Building upon the successful release of the initial version of the NetWeaver Edition of the Cybersecurity Extension for SAP earlier this year, Layer Seven Security is pleased to announce the upcoming availability of version 2.0. The new release includes important enhancements including support for SAP NetWeaver AS Java, anomaly detection to identify unusual or suspicious activity, the addition of more than 400 new threat detection patterns, and updates for SAP compliance frameworks including the SAP Security Baseline, S/4HANA Security Guide, and mandatory security requirements for SAP RISE / Cloud ERP. The enhancements significantly improve protection for business-critical SAP solutions against advanced cyber threats.

SAP NetWeaver AS Java

The new release of the Cybersecurity Extension for SAP provides coverage for SAP NetWeaver AS Java solutions such as the SAP Enterprise Portal, Process Orchestration (PO) / Process Integration (PI), SAP Solution Manager, and SAP Identity Management (SAP IdM). Version 2.0 supports vulnerability management for AS Java systems including components such as the Gateway Server, Message Server, and Internet Communication Manager (ICM). It also supports the automated discovery of relevant SAP Security Notes for AS Java systems. This includes SAP Java notes for Known Exploited Vulnerabilities (KEV) reported by the U.S Cybersecurity and Infrastructure Security Agency (CISA). Finally, the new release supports monitoring for AS Java logs to detect and alert for security incidents such as user and role changes, system changes, calls for vulnerable servlets including the invoker servlet, and patterns to detect the potential exploitation of AS Java vulnerabilities such as RECON, Log4J and the recent vulnerability detailed in CVE-2025-31324, impacting the SAP NetWeaver Visual Composer Metadata Uploader.

Anomaly Detection

Anomaly detection is a powerful method for detecting potential zero-day attacks without known signatures, brute force attacks, and advanced persistent threats that are difficult to detect using conventional pattern matching techniques. It can also detect insider threats such as privilege abuse or escalation, fraud, and suspicious user actions that deviate from normalized patterns of behavior. Although the Solution Manager Edition of the Cybersecurity Extension for SAP supported anomaly detection for SAP solutions, this feature was not included in the initial release of the NetWeaver Edition. Version 2.0 includes full enablement of anomaly detection in the NetWeaver Edition.

Threat Detection

Version 2.0 of the Cybersecurity Extension for SAP includes a significant increase the volume of threat detection patterns for SAP solutions. It delivers more than 400 new patterns to detect Indicators of Compromise (IOC) in various SAP logs. This includes calls to vulnerable function modules and reports, suspicious file downloads, access to critical tables, directory traversal exploits, and dangerous transaction starts. The addition strengthens the position of the Cybersecurity Extension for SAP as the leading threat detection solution for SAP solutions in terms of coverage. The most recent version of the solution includes more than 1500 threat detection patterns. In comparison, the current version of SAP Enterprise Threat Detection (ETD) includes approximately 200 patterns.

SAP Security Compliance

The Cybersecurity Extension for SAP automates compliance audits for SAP solutions. The solution discovers compliance gaps against multiple security frameworks including GDPR, NIST, SOX and PCI-DSS. It also monitors compliance with SAP security standards such as the SAP Security Baseline, the Security Guide for SAP S/4HANA, and mandatory security requirements for SAP RISE / Cloud ERP solutions defined by SAP Enterprise Cloud Services (ECS). Version 2.0 aligns compliance checks with the latest SAP benchmarks. This includes version 2.6 of the SAP Security Baseline and the Security Guide for SAP S/4HANA 2025. In addition to updating checks for ABAP solutions defined in the latest version of note 3250501, the new version extends coverage for SAP RISE / Cloud ERP checks to include SAP HANA and SAP AS Java solutions. The requirements for these areas are defined in SAP notes 3480723 and 3381209.

What to Expect in Version 3.0

Key updates for the next release of the NetWeaver Edition of the Cybersecurity Extension for SAP include:

  • Support for SAP BTP and SAP Cloud Connector
  • Support for SAProuter and Web Dispatcher
  • Support for RHEL & SUSE OS monitoring including vulnerability scanning and log monitoring
  • Email notifications for security alerts
  • Report automation including scheduling and distribution

The updates will align the capabilities of the NetWeaver Edition with the Solution Manager Edition, enabling existing customers to transition smoothly to the latest platform without any loss in coverage or functionality.

Looking Ahead to 2026

Next year’s roadmap for the Cybersecurity for SAP includes planned enhancements that will improve the user experience and reinforce it’s standing as the leading cybersecurity solution for SAP systems. This includes:

  • Support for SAP SuccessFactors
  • Support for SAP S/4HANA Public Edition
  • Data Loss Protection (DLP) including threat detection patterns and alerts for unauthorized access to sensitive data in SAP solutions
  • Extended checks for critical access and segregation of duties in SAP S/4HANA including a dedicated application to support cross-application user access and role analysis

We extend our best wishes for a Happy Thanksgiving to our customers in the United States and look forward to supporting you in the months ahead.