What’s New in the Cybersecurity Extension for SAP, Version 5.3
The new release of the Cybersecurity Extension for SAP (CES) is in general availability and includes several important enhancements for SAP vulnerability management and threat detection.
Version 5.3 includes patterns for detecting indicators of compromise in the SAP Cloud Connector. The Connector is an agent that links SAP BTP applications with on-premise SAP systems. As a reverse proxy, it enables internal systems to connect securely with BTP services without exposing the systems to direct external access. The new release of CES includes alerts for security-related events in the Cloud Connector including configuration changes, changes to the Administrator account including passwords, changes to connected BTP subaccounts and backend systems, the activation of traces, settings for logging and auditing, role changes, certificates, LDAP, SNC, and other areas. application changes, remote logins, role changes, role grants to users, and cloud transports. The alerts can be integrated with SIEM solutions for centralized monitoring.
The new release also supports concurrent compliance analysis for multiple systems and includes updates for the SAP RISE, SAP Security Baseline and HIPAA frameworks. Mandatory security parameters and hardening requirements for SAP RISE customers were updated by SAP Enterprise Cloud Services (ECS) in June.
Version 5.3 includes the emergency updates that were released earlier for CVE-2025-31324. This includes patterns for the detection of attempted and successful exploitation of the zero-day vulnerability in SAP AS Java.
Extended checks have been introduced for the execution and logging of OS commands performed using the sapxpg program. sapxpg is a program controller that executes external programs and commands from SAP at the OS level.
Finally, version 5.3 includes checks for the discovery of out-of-maintenance software components in SAP solutions. In accordance with the general SAP maintenance strategy, SAP only delivers support package notes for support packages shipped within the last 24 months. This is referred to as the 24-month rule. The rule took effect on June 11 2019 and extended the previous coverage period for support packages from 18 months. There are some exceptions to the rule, including SAP HANA, BW/4HANA, and SAP Kernel. The impact of the rule is that software components patched up to SP levels where the support packages were released more than 24 months ago are not provided with SP fixes to remove low, medium and high severity vulnerabilities discovered internally by SAP. The vulnerabilities can only be addressed by performing an SP upgrade to a support package that is within the 24-month rule.