RedRays – Your SAP Security Solution

SAP Security Patch Day – March 2026

RedRays Team — Tue, 10 Mar 2026 04:32:51 +0000

SAP has released its March 2026 security patch package containing 15 security notes addressing vulnerabilities across enterprise SAP environments. This release includes two HotNews vulnerabilities with CVSS ratings up to 9.8, one High priority issue, eleven Medium priority fixes, and one Low priority update. The patches affect SAP NetWeaver, SAP Business One, SAP Supply Chain Management, SAP Business Warehouse, and other application components. Six of these vulnerabilities were identified by the RedRays research team using our ABAP Code Scanner.

Total Security Notes
15

HotNews Critical
2

High Priority
1

Medium Priority
11

Low Priority
1

Found by RedRays
6

Executive Summary

Critical Code Injection: CVE-2019-17571 (CVSS 9.8) in SAP Quotation Management Insurance application (FS-QUO) leverages a known Apache Log4j 1.2 deserialization flaw, allowing unauthenticated remote code execution with complete system compromise.
Critical Insecure Deserialization: CVE-2026-27685 (CVSS 9.1) in SAP NetWeaver Enterprise Portal Administration enables high-privileged attackers to exploit deserialization to achieve arbitrary code execution with cross-scope impact.
Supply Chain DoS: CVE-2026-27689 (CVSS 7.7) in SAP Supply Chain Management allows authenticated attackers to cause denial of service with high availability impact.
SQL Injection: CVE-2026-27684 (CVSS 6.4) in SAP NetWeaver Feedback Notification, discovered by RedRays, enables SQL injection attacks with cross-scope impact on confidentiality and availability.

Vulnerabilities Discovered by RedRays

RedRays ABAP Code Scanner

Six vulnerabilities in this Patch Day were discovered by RedRays ABAP Code Scanner and responsibly disclosed to SAP through our coordinated vulnerability disclosure process.

These findings were identified using the RedRays ABAP Code Scanner - our automated static analysis tool designed to detect security issues in custom ABAP code before they reach production.

6.4 CVE-2026-27684 SQL Injection in SAP NetWeaver (Feedback Notification)
6.4 CVE-2026-24316 SSRF in SAP NetWeaver Application Server for ABAP
6.4 CVE-2026-24309 Missing Authorization check in SAP NetWeaver Application Server for ABAP
5.9 CVE-2026-27686 Missing Authorization check in SAP Business Warehouse (Service API)
5.0 CVE-2026-27688 Missing Authorization check in SAP NetWeaver Application Server for ABAP
3.5 CVE-2026-24310 Missing Authorization check in SAP NetWeaver Application Server for ABAP

Critical HotNews Vulnerabilities

Critical code injection vulnerability in SAP Quotation Management Insurance application leveraging a known Apache Log4j 1.2 deserialization flaw. Unauthenticated remote attackers can execute arbitrary code without any user interaction, leading to complete compromise of confidentiality, integrity, and availability.

SAP Note 3698553 — emergency patch required immediately.

Critical insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration allows high-privileged attackers to inject malicious serialized objects. Successful exploitation leads to cross-scope impact with complete compromise of confidentiality, integrity, and availability across the portal environment.

SAP Note 3714585 — patch within 24 hours.

High Priority Security Issues

Denial of service vulnerability in SAP Supply Chain Management allows authenticated attackers to disrupt service availability with cross-scope impact. High severity threat to business continuity and supply chain operations.

SAP Note 3719502 — apply high priority patch.

Medium Priority Vulnerabilities

SQL injection vulnerability in SAP NetWeaver (Feedback Notification) allows authenticated attackers to inject malicious SQL statements, leading to cross-scope impact on confidentiality and availability of business-critical data.

SAP Note 3697355 — schedule patch.

Server-Side Request Forgery vulnerability in SAP NetWeaver Application Server for ABAP allows authenticated attackers to forge requests from the server to access internal services and resources with cross-scope impact on confidentiality and integrity.

SAP Note 3689080 — schedule patch.

Missing authorization check in SAP NetWeaver Application Server for ABAP allows authenticated attackers to bypass authorization controls with cross-scope impact on system integrity and availability.

SAP Note 3703856 — apply update.

DOM-based Cross-Site Scripting vulnerability in SAP Business One (Job Service) allows unauthenticated attackers to inject malicious scripts through DOM manipulation, leading to cross-scope impact on confidentiality and integrity when users interact with crafted content.

SAP Note 3693543 — schedule patch.

Missing authorization check in SAP Business Warehouse (Service API) allows authenticated attackers to bypass access controls under complex conditions, with impact on integrity and high impact on availability of BW services.

SAP Note 3703385 — schedule update.

Missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal allows high-privileged attackers to access sensitive HR data under complex conditions with cross-scope impact on confidentiality.

SAP Note 3701020 — apply patch.

Insecure storage protection vulnerability in SAP Customer Checkout 2.0 allows attackers with physical access and high privileges to access protected data, with high impact on confidentiality and integrity of checkout systems.

SAP Note 3708457 — schedule update.

Missing authorization check in SAP Solution Tools Plug-In (ST-PI) allows authenticated attackers to access sensitive system information with cross-scope impact on confidentiality.

SAP Note 3707930 — apply fix.

Missing authorization check in SAP NetWeaver Application Server for ABAP allows authenticated attackers to access sensitive system information with cross-scope impact on confidentiality.

SAP Note 3704740 — apply fix.

DLL Hijacking vulnerability in SAP GUI for Windows with active GuiXT allows attackers to load malicious DLL files when users launch the application, leading to low impact on confidentiality, integrity, and availability.

SAP Note 3699761 — maintenance window.

Multiple denial of service vulnerabilities due to an outdated OpenSSL version in SAP NetWeaver AS Java (Adobe Document Services) allow authenticated attackers to disrupt document processing with low impact on availability.

SAP Note 3700960 — routine update.

Low Priority Security Updates

Missing authorization check in SAP NetWeaver Application Server for ABAP allows authenticated attackers to access limited system information under complex conditions with cross-scope confidentiality impact.

SAP Note 3694383 — regular maintenance cycle.

The post SAP Security Patch Day – March 2026 appeared first on RedRays - Your SAP Security Solution.

SAP Security Patch Day February 2026

RedRays Team — Tue, 10 Feb 2026 08:04:00 +0000

SAP has released its February 2026 security patch package containing 27 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes two HotNews vulnerabilities with CVSS ratings up to 9.9, seven High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect SAP CRM, SAP S/4HANA, SAP NetWeaver, SAP BusinessObjects Business Intelligence Platform, SAP Commerce Cloud, and various application components. RedRays ABAP Code Scanner did not identify new vulnerabilities in this release cycle.

Total Security Notes
27

HotNews Critical
2

High Priority
7

Medium Priority
16

Low Priority
2

Executive Summary

Critical Code Injection: CVE-2026-0488 (CVSS 9.9) in SAP CRM and SAP S/4HANA Scripting Editor allows authenticated attackers to inject and execute malicious code with cross-scope impact on confidentiality, integrity, and availability.
Missing Authorization: CVE-2026-0509 (CVSS 9.6) in SAP NetWeaver Application Server ABAP and ABAP Platform enables authenticated users with low privileges to bypass authorization controls with cross-scope impact on integrity and availability.
XML Signature Wrapping: CVE-2026-23687 (CVSS 8.8) in SAP NetWeaver AS ABAP and ABAP Platform allows authenticated attackers to manipulate XML signatures leading to complete system compromise.
Multiple DoS Vulnerabilities: Seven vulnerabilities affecting SAP BusinessObjects BI Platform and SAP Supply Chain Management enable denial of service attacks with high impact on availability.

Critical HotNews Vulnerabilities

Critical code injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) allows authenticated attackers with low privileges to inject and execute arbitrary code. This maximum severity flaw enables complete system compromise with cross-scope impact on confidentiality, integrity, and availability of business-critical data.

SAP Note 3697099 — emergency patch required immediately.

Critical missing authorization check vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated users with low privileges to bypass authorization controls and perform unauthorized actions. Successful exploitation leads to cross-scope impact with high severity on system integrity and availability.

SAP Note 3674774 — patch within 24 hours.

High Priority Security Issues

High severity XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and ABAP Platform allows authenticated attackers to manipulate XML signatures. Successful exploitation leads to complete compromise of confidentiality, integrity, and availability of affected systems.

SAP Note 3697567 — high priority patch within 48 hours.

Missing authorization check in SAP Solution Tools Plug-In (ST-PI) allows authenticated attackers to access sensitive system information with cross-scope impact. High severity vulnerability affecting confidentiality of system data.

SAP Note 3705882 — schedule urgent patch.

SAP Note 3703092 — apply high priority patch.

Unauthenticated denial of service vulnerability in SAP BusinessObjects BI Platform enables remote attackers to disrupt business intelligence services without authentication, causing high impact on system availability.

SAP Note 3678282 — high priority update.

Additional unauthenticated denial of service vulnerability in SAP BusinessObjects BI Platform allows remote attackers to disrupt reporting and analytics services with high availability impact.

SAP Note 3654236 — high priority patch.

Race condition vulnerability in SAP Commerce Cloud allows unauthenticated attackers to exploit timing windows and compromise confidentiality and integrity of e-commerce operations under complex attack conditions.

SAP Note 3692405 — apply high priority patch.

Open redirect vulnerability in SAP BusinessObjects Business Intelligence Platform allows high-privileged attackers to redirect users to malicious sites with cross-scope impact on confidentiality and integrity under complex attack conditions.

SAP Note 3674246 — schedule patch.

Medium Priority Vulnerabilities

Denial of service vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools) allows authenticated attackers to disrupt administrative functions with high impact on system availability.

SAP Note 3695912 — schedule patch.

Missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA allows authenticated attackers to modify system data with high impact on integrity.

SAP Note 3672622 — apply update.

Open redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) allows unauthenticated attackers to redirect users to malicious sites with cross-scope impact on confidentiality and integrity.

SAP Note 3688319 — maintenance window.

Multiple security vulnerabilities in BSP Applications of SAP Document Management System allow unauthenticated attackers to compromise document security with cross-scope impact.

SAP Note 3678417 — schedule update.

Information disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) allows high-privileged local attackers to access sensitive system information with cross-scope impact.

SAP Note 3503138 — apply fix.

Race condition vulnerability in SAP Commerce Cloud allows unauthenticated attackers to exploit timing windows and compromise integrity of e-commerce transactions under complex attack conditions.

SAP Note 3689543 — routine update.

Information disclosure vulnerability in SAP Business One (B1 Client Memory Dump Files) allows high-privileged local attackers to access sensitive business data from memory dump files.

SAP Note 3679346 — apply patch.

Information disclosure vulnerability in SAP Commerce Cloud allows unauthenticated attackers to access sensitive e-commerce information with low confidentiality impact.

SAP Note 3687771 — apply update.

Missing authorization check in SAP Business Workflow allows high-privileged attackers to bypass authorization controls and modify workflow data with user interaction.

SAP Note 3710111 — schedule patch.

Missing authorization check in ABAP based SAP systems allows authenticated attackers to access sensitive system information with cross-scope impact on confidentiality.

SAP Note 3691645 — apply fix.

Cross-Site Scripting vulnerability in SAP BusinessObjects Enterprise (Central Management Console) allows high-privileged attackers to inject malicious scripts with cross-scope impact.

SAP Note 3697256 — maintenance window.

Insecure deserialization vulnerability in SAP NetWeaver (JMS service) allows high-privileged local attackers to cause denial of service with high availability impact.

SAP Note 3687285 — routine update.

Missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application) allows authenticated attackers to access sensitive strategic management data.

SAP Note 3680390 — apply patch.

Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations) allows authenticated attackers to modify defense and security data with low integrity impact.

SAP Note 3678009 — schedule update.

Missing authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services) allows authenticated attackers to modify service entry data with low integrity impact.

SAP Note 3215823 — apply fix.

Missing authorization check in a function module in SAP Support Tools Plug-In allows authenticated attackers to access sensitive support tool data with low confidentiality impact.

SAP Note 3680416 — routine update.

Low Priority Security Updates

CRLF injection vulnerability in SAP NetWeaver Application Server Java allows high-privileged attackers to inject CRLF sequences with cross-scope impact on integrity under user interaction conditions.

SAP Note 3673213 — low priority update.

Memory corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) allows authenticated attackers to trigger memory corruption with limited confidentiality impact under complex attack conditions.

SAP Note 3678313 — regular maintenance cycle.

The post SAP Security Patch Day February 2026 appeared first on RedRays - Your SAP Security Solution.

Top 10 ABAP Code Vulnerabilities and Common S/4HANA Migration Mistakes

RedRays Team — Wed, 28 Jan 2026 13:48:29 +0000

SAP SECURITY ARTICLE

When companies migrate from SAP ECC to S/4HANA, they're not just upgrading their system-they're often carrying decades of security problems with them. This research looks at the most common security vulnerabilities in custom ABAP code and the mistakes organizations make during S/4HANA migrations.

According to security experts at RedRays, over 80% of SAP systems they've tested contain critical security flaws or misconfigurations that could lead to business compromise. As SAP systems move to web-based interfaces like Fiori, old vulnerabilities become much more dangerous because they're now accessible from the internet.

Why ABAP Security Matters

ABAP (Advanced Business Application Programming) is the language used to customize SAP systems for specific business needs. While this flexibility is powerful, it also creates security risks. Many organizations run custom code written decades ago-before secure coding practices were standard in SAP development.

When companies migrate to S/4HANA using a "lift-and-shift" approach, they bring all these old security holes into a new, web-oriented environment. What was once only accessible from inside the company network can now be exploited via internet protocols.

Common Risk Areas

Custom Reports (Z-reports)

Security Issue: No authorization checks

Migration Risk: Confidential data leaks via web access

RFC Modules

Security Issue: Remote function calls without protection

Migration Risk: Attack vector for lateral movement

File Processing (DATASET)

Security Issue: Direct OS file system access

Migration Risk: Directory traversal and server compromise

Web Interfaces (Web Dynpro/UI5)

Security Issue: Insufficient input validation

Migration Risk: Cross-Site Scripting (XSS) and session theft

Top 10 Vulnerabilities in Custom ABAP Code

Based on analysis from RedRays and SAP Security Notes, here are the ten most critical vulnerability categories found in custom developments.

1. Missing Authorization Checks

This is the most common mistake in ABAP code-developers forget to add AUTHORITY-CHECK statements before critical data operations. Many developers wrongly assume that if a user has permission to run a transaction (T-code), they automatically have rights to view or modify all data within that transaction.

The problem is that SAP doesn't enforce authorization checks at the database level for custom code. As a result, a user with access to a simple materials report might see data for all plants and storage locations, even those they shouldn't have access to according to organizational structure.

Impact: Data privacy violations, regulatory compliance failures (GDPR, SOX).

2. SQL Injection in Open SQL and Native SQL

While Open SQL provides some protection, using dynamic conditions in WHERE clauses or executing Native SQL via ADBC interface opens the door to SQL injection attacks. Attackers can manipulate input parameters to change query logic, bypass filters, or access system tables like USR02 (password storage).

A critical example is CVE-2025-0063, discovered in RFC modules for Informix databases. It allowed users with minimal privileges to inject malicious SQL code into host variables, leading to complete compromise of database integrity and availability.

Prevention: Use the CL_ABAP_DYN_PRG class for strict validation and escaping of all dynamic query elements.

3. ABAP Code Injection

This vulnerability is rated critical (CVSS 9.9) and allows attackers to inject arbitrary ABAP statements directly into the system execution environment. Using constructs like INSERT REPORT or GENERATE SUBROUTINE POOL without proper authorization checks on S_DEVELOP object turns the system into an open book for attackers.

CVE-2025-42957 in the /SLOAE/DEPLOY module demonstrated how insufficient parameter validation in RFC functions allows low-privileged users to create new programs, execute OS-level commands, and create users with SAP_ALL privileges.

4. Cross-Site Scripting (XSS) in Web Dynpro and Fiori

With the shift to web-based interfaces like SAP Fiori and Web Dynpro ABAP, XSS has become one of the three most frequently patched vulnerabilities. The problem occurs when user-entered data is displayed in browsers without proper encoding.

Reflected XSS

Mechanism: Code passed through URL or request parameters

Impact on SAP: Session cookie theft, content spoofing

Stored XSS

Mechanism: Malicious script saved in database (e.g., in order text)

Impact on SAP: Attack on any user viewing the object

Attackers can use XSS for phishing within the corporate network, intercepting authentication tokens, or performing unauthorized actions as an administrator.

Solution: Use SAP's built-in escaping functions and activate protection at the HTTP framework level (ICF).

5. Insecure Remote Function Calls (RFC)

RFCs are the backbone of communication between systems in SAP landscapes, but they're often configured insecurely. Common mistakes include no checks on S_RFC object, using trusted connections without restrictions, and exposing critical functions to external networks.

Attackers often use RFC for lateral movement. Compromising a secondary system connected via RFC to a productive S/4HANA environment allows attackers to use the trusted communication channel to execute commands in the business core.

6. Directory Traversal

Using OPEN DATASET with user-controlled parameters can lead to unauthorized reading or writing of files on the application server. If the file path isn't normalized, attackers can use ../ sequences to escape the allowed directory and access sensitive OS files or system logs.

Prevention: Use logical file names (transaction FILE) and validate paths through standard SAP function modules like FILE_GET_NAME.

7. Insecure Deserialization

Deserialization vulnerabilities like CVE-2025-30012 allow attackers to manipulate data objects passed between Java and ABAP stacks. If the system trusts incoming byte streams without validating their structure, attackers can inject "gadgets"-fragments of existing code that execute malicious actions during deserialization, up to remote code execution (RCE).

In ABAP development, this is relevant when using classes like CL_ABAP_SERIALIZER or passing complex data structures through binary interfaces.

8. Hard-coded Secrets

Storing passwords, API keys, or tokens directly in program code is a classic mistake that makes the system vulnerable to anyone with code viewing access (transactions SE38, SE80). These secrets also end up in version control systems and transport requests, becoming available at all landscape stages (DEV, QAS, PRD).

Recommendation: Use Secure Storage and encryption functions like SSFC_STRING_ENCRYPT for handling sensitive information.

9. Missing Audit Trails

Many custom programs modify critical business data (such as prices or partner information) without leaving traces in system logs. In case of a security incident or internal fraud, the absence of an audit trail makes investigation and identifying culprits impossible.

Solution: Implement recording in Security Audit Log (transaction SM20) and use Change Documents mechanisms for all significant operations.

10. Structural Defects and Performance Issues (ABAP Crimes)

While not always a direct vulnerability, poor code structure (lack of modularity, nested loops with database queries) can lead to Denial of Service (DoS). In S/4HANA environments designed for high-speed in-memory processing, unoptimized legacy code can paralyze the HANA database by consuming all available resources.

Direct modification of SAP tables

Impact: Data integrity violation, business logic bypass

No SY-SUBRC checking

Impact: Unpredictable system behavior on failures

Using outdated operators

Impact: Vulnerability to new attack vectors, incompatibility

Development in production system

Impact: High risk of unauthorized changes

Critical S/4HANA Migration Mistakes

Migrating to S/4HANA isn't just a technical upgrade-it's a complete ERP system transformation. During this period, security is often sacrificed for project timelines, creating long-term risks.

Mistake 1: Neglecting Role and Authorization Redesign

The most common mistake is trying to transfer existing roles from ECC to S/4HANA "as is." In S/4HANA, many transactions are obsolete or have been replaced (for example, MB1A, MB1B merged into MIGO). Additionally, implementing Fiori requires completely new authorizations for OData services and UI5 applications.

Failure to adapt the Segregation of Duties (SoD) matrix to the new Business Partner architecture (which combines vendors and customers) can lead to critical authorization conflicts enabling fraudulent activities.

Mistake 2: No "Clean Core" Strategy

Many companies continue developing complex extensions directly inside the system core, ignoring SAP recommendations to use SAP Business Technology Platform (BTP) for "Side-by-Side" extensions.

This leads to technical debt accumulation:

Complications in future system updates
Core instability due to custom code incompatibility with simplified HANA data models (e.g., ACDOCA table)
Increased attack surface from millions of lines of unverified code inside ERP

Mistake 3: Data Integrity and Confidentiality Issues During Migration

Data migration often involves format errors, record duplication, and loss of historical links. From a security perspective, a critical mistake is transferring unanonymized personal data to test and sandbox migration environments-a direct GDPR violation.

Preparation Stage

Common Mistake: No archiving of old data

Consequences: Increased TCO, migration slowdown

Conversion Stage

Common Mistake: Ignoring Simplification Item List

Consequences: Program execution errors, security holes

Cutover Stage

Common Mistake: Weak reconciliation control

Consequences: Unreliable financial reporting, audit risk

Hypercare Stage

Common Mistake: Excessive "emergency" access rights

Consequences: Unauthorized changes in production

Mistake 4: Insufficient Attention to OData and Fiori Security

Transitioning to web interfaces requires implementing new defense layers such as Web Application Firewall (WAF) and SAP Web Dispatcher. Many organizations make the mistake of opening access to OData services without proper backend authorization checks, relying only on visual restrictions in the Fiori application. Attackers can call services directly through browser developer tools and access data hidden in the UI.

Protection Strategy and Automation Role

To minimize risks, organizations should move from periodic audits to continuous code security monitoring.

Using ABAP Test Cockpit (ATC) and RedRays Solutions

Standard SAP tools like ATC and SAP Code Vulnerability Analyzer (CVA) provide basic security checks but often require additional licenses and complex configuration. The RedRays ABAP Security Scanner platform complements these tools by offering:

Deep Data Flow Analysis (Taint Analysis): Tracks data path from user input to dangerous code operators
Reduced False Positives: Thanks to SAP-context awareness, saving developer time
CI/CD Integration: Allows code checking during writing, implementing a "Shift Left" approach

Secure Migration Recommendations

Conduct Full Custom Code Audit before starting migration using SAP Readiness Check and specialized scanners like RedRays ABAP Scanner
Implement "Clean Core" Principle: Remove unused code (Soft Cleaning technology) and move innovations to BTP
Automate Authorization Testing: Use tools for trace analysis and automatic role creation based on actual function usage
Ensure Infrastructure Security: Configure network segmentation, update OS and HANA DB patches, activate SAP Security Audit Log

Conclusion

SAP S/4HANA security is an ongoing process requiring integration of efforts from developers, basis specialists, and security auditors. Vulnerabilities in custom ABAP code remain the most likely attack vector on business-critical systems, and migration mistakes can lay the foundation for future incidents.

The transition to S/4HANA provides a unique opportunity to clean the system of accumulated risks and build a modern, threat-resistant architecture. Using advanced automation tools like RedRays ABAP Scanner, combined with a strategic approach to migration, allows organizations to protect their most valuable assets and ensure business continuity in an era of digital instability.

Protect Your SAP Systems from ABAP Code Vulnerabilities

Don't let hidden security flaws compromise your business. RedRays ABAP Security Scanner provides deep code analysis, continuous monitoring, and automated detection of all 10 vulnerability types discussed in this article.

Learn More About RedRays ABAP Scanner →

The post Top 10 ABAP Code Vulnerabilities and Common S/4HANA Migration Mistakes appeared first on RedRays - Your SAP Security Solution.

Strategic Partnership – RedRays and Protiviti Join Forces to Secure SAP Landscapes

RedRays Team — Tue, 20 Jan 2026 13:27:44 +0000

January 20, 2026

#SAPSecurity #RedRays #Protiviti #Partnership #CyberSecurity

We are thrilled to officially announce the launch of a strategic partnership between RedRays and Protiviti. This collaboration marks a significant milestone in our mission to secure mission-critical business systems worldwide.

By combining RedRays' deep technical expertise with Protiviti's global consulting experience, we are creating a unique offering in the cybersecurity market.

Why Is This Important?

ERP systems, particularly SAP, are the heart of modern business, processing the most sensitive data and supporting key processes. However, the complexity of these landscapes often makes them vulnerable to cyber threats.

What Does This Mean for Our Clients?

Our alliance aims to deliver a comprehensive approach to SAP security ("Securing SAP Landscapes Together"), which includes:

✓ Deep Technical Audit: Leveraging advanced RedRays tools to identify hidden threats and SAP-specific vulnerabilities.
✓ Strategic Risk Management: Protiviti’s methodology helps companies not just "patch holes," but build robust risk management and compliance (GRC) processes.
✓ Proactive Defense: Jointly developing strategies to anticipate attacks and prevent them before they damage the business.

Looking Ahead

Together with Protiviti, we intend to set a new standard for SAP system security. This partnership will allow our clients to confidently pursue digital transformation, knowing their critical assets are under the reliable protection of industry leaders.

Stay tuned to learn more about the joint webinars and research we are preparing as part of this collaboration.

The post Strategic Partnership – RedRays and Protiviti Join Forces to Secure SAP Landscapes appeared first on RedRays - Your SAP Security Solution.

CVE-2026-0491 – Code Injection in SAP Landscape Transformation

RedRays Team — Tue, 13 Jan 2026 12:55:08 +0000

HOTNEWS CRITICAL

CVE-2026-0491

CVSS 9.1 CRITICAL

SAP Note #3697979

Vulnerability Summary

SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

CVSS v3.0 Assessment

Base Score

9.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Technical Details

Transformation Infrastructure Backdoor

Code Injection via RFC-enabled Function Module in Landscape Transformation Analysis

SAP Landscape Transformation is a critical component used during system migrations, consolidations, upgrades, and landscape transformations. The vulnerability exists in an RFC-enabled function module within the Landscape Transformation Analysis (LT Analysis) component that lacks proper input validation. An attacker with administrative privileges can exploit this to:

Inject arbitrary ABAP code into transformation processes
Execute operating system commands on transformation servers
Bypass all authorization checks and security mechanisms
Manipulate transformation rules, mappings, and data conversions
Corrupt data being replicated during landscape transformations
Create backdoors in both source and target systems
Access sensitive business data being migrated
Compromise the integrity of entire transformation projects

Business Impact

Critical for Active Transformation Projects

Organizations currently executing or planning SAP landscape transformations should treat this vulnerability with the highest priority. Exploitation during transformation can have catastrophic long-term impacts on data integrity, system security, and business operations across the entire SAP landscape.

Potential business consequences:

Corruption of business-critical data during migration
Compromise of financial, HR, and operational data being transformed
Introduction of backdoors that persist across system landscapes
Regulatory compliance violations (GDPR, SOX, etc.)
Project delays and potential need to rollback transformations
Need for comprehensive forensic investigation of transformation activities
Loss of trust in transformation project outcomes

Affected Software Components

DMIS version 2011_1_700

DMIS version 2011_1_710

DMIS version 2011_1_730

DMIS version 2011_1_731

DMIS version 2018_1_752

DMIS version 2020

Solution

Permanent Fix

This issue is fixed by removing the code causing the vulnerability. The vulnerable function module has been eliminated, preventing any possibility of code injection or OS command execution through this attack vector in the Landscape Transformation infrastructure.

Implement the Correction Instructions or Support Packages referenced by SAP Security Note #3697979. Please refer to FAQ document 3698186 for additional implementation guidance and transformation project considerations.

Workaround

There is no workaround available for this security note. Organizations must apply the security patch to remediate this critical vulnerability.

For organizations with active transformation projects, implement these compensating controls until patching is complete:

Emergency Patching: Schedule patch deployment during the next available maintenance window
Access Restriction: Restrict network access to Landscape Transformation servers to absolute minimum
Privilege Audit: Immediately review and minimize administrative privileges for transformation infrastructure
Enhanced Monitoring: Implement real-time monitoring of all RFC calls and administrative activities
Data Validation: Implement additional integrity checks on transformed/replicated data
Change Control: Require multi-person approval for all transformation configuration changes
Activity Logging: Enable comprehensive audit logging and secure log forwarding
Forensic Readiness: Document all transformation activities for potential forensic investigation

Post-Patch Validation

Validation Steps

After applying the security patch, organizations with recent transformation activities should:

Review transformation audit logs for any suspicious activities
Validate data integrity of all recently transformed/replicated data
Verify transformation rules and mappings have not been tampered with
Test transformation processes in non-production environment
Conduct security assessment of both source and target systems
Review user accounts and authorizations in transformation landscape
Document all activities during the vulnerability exposure period

Technical Implementation Details

Modified ABAP Objects

The security patch removes the vulnerable code from the following ABAP repository object in the Landscape Transformation infrastructure:

Function Group: CNVC_JSTAT

• Function Module: CNVCF_JSTAT_UP

Related Vulnerability Note

Note that CVE-2026-0498 (SAP Note #3694242) affects the same function group CNVC_JSTAT and includes this function module along with additional ones. Organizations should ensure both security notes are applied to fully remediate all code injection vulnerabilities in the data transformation infrastructure.

The CNVCF_JSTAT_UP function module contained code that allowed arbitrary ABAP code execution and OS command injection through RFC interfaces in the context of landscape transformation operations. The patch removes these vulnerable code sections while maintaining the legitimate transformation status update functionality through secure implementations.

Remediation Actions

Download SAP Note #3697979 FAQ #3698186

Disclosure Date: January 13, 2026 SAP Security Patch Day

For more information, visit SAP Security Notes

The post CVE-2026-0491 – Code Injection in SAP Landscape Transformation appeared first on RedRays - Your SAP Security Solution.

CVE-2026-0498 – Code Injection Vulnerability in SAP S/4HANA (Backdoor)

RedRays Team — Tue, 13 Jan 2026 12:47:47 +0000

HOTNEWS CRITICAL

CVE-2026-0498

CVSS 9.1 CRITICAL

SAP Note #3694242

Vulnerability Summary

SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

CVSS v3.0 Assessment

Base Score

9.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Technical Details

Backdoor Vulnerability

Administrative Privilege Escalation to Code Injection and OS Command Execution

The vulnerability exists in an RFC-enabled function module that lacks proper input validation and authorization enforcement. An attacker who has already obtained administrative privileges (through credential compromise, social engineering, or exploitation of other vulnerabilities) can leverage this flaw to:

Inject and execute arbitrary ABAP code directly in the SAP application layer
Execute operating system commands on the underlying server
Bypass all authorization checks and security controls
Create persistent backdoors for future unauthorized access
Exfiltrate sensitive business data without detection
Modify critical business logic and data
Disable audit logging and security monitoring
Launch attacks against connected systems in the SAP landscape

This vulnerability is particularly dangerous because it effectively allows an attacker with admin credentials to achieve complete system takeover while appearing to perform legitimate administrative activities.

Affected Software Components

S4CORE version 102

S4CORE version 103

S4CORE version 104

S4CORE version 105

S4CORE version 106

S4CORE version 107

S4CORE version 108

S4CORE version 109

Solution

Permanent Fix

This issue is fixed by removing the code causing the vulnerability. The vulnerable function module has been completely eliminated, preventing any possibility of code injection or OS command execution through this attack vector.

Implement the Correction Instructions or Support Packages referenced by SAP Security Note #3694242. Please refer to FAQ document 3698254 for additional implementation guidance.

Workaround

There is no workaround available for this security note. Organizations must apply the security patch immediately to remediate this critical vulnerability.

Until the patch can be deployed, implement the following compensating controls:

Enhanced Monitoring: Implement 24/7 monitoring of all administrative actions and RFC calls
Privilege Review: Conduct emergency audit of all administrative access and reduce to minimum necessary
MFA Enforcement: Require multi-factor authentication for all administrative accounts
Network Segmentation: Isolate SAP systems with strict firewall rules and access controls
Incident Response: Prepare incident response procedures for potential exploitation
Audit Logging: Enable comprehensive audit logging and secure log forwarding to SIEM

Detection Recommendations

Indicators of Compromise

Organizations should immediately review security audit logs (SM20/SM19) for the following suspicious activities:

Unusual RFC function module calls by administrative users
Execution of system commands or ABAP code from unexpected sources
Creation of new administrative users or privilege escalations
Modifications to security-critical authorization objects
Disabled or modified audit logging configurations
Unexpected changes to critical business logic or data
Unusual network connections from SAP application servers

Technical Implementation Details

Modified ABAP Objects

The security patch completely removes the vulnerable code from the following ABAP repository objects:

Function Group: CNVC_JSTAT

• Function Module: CNVCF_JSTAT_GETINFO

• Function Module: CNVCF_JSTAT_REPEAT

• Function Module: CNVCF_JSTAT_UP

• Function Module: CNVCF_JSTAT_CHECK_STATUS

These function modules contained code that allowed arbitrary ABAP code execution and OS command injection through RFC interfaces. The patch removes the vulnerable code sections entirely, eliminating the backdoor functionality while preserving legitimate data transformation capabilities through secure alternative implementations.

Remediation Actions

Download SAP Note #3694242 FAQ #3698254

Disclosure Date: January 13, 2026 SAP Security Patch Day

For more information, visit SAP Security Notes

The post CVE-2026-0498 – Code Injection Vulnerability in SAP S/4HANA (Backdoor) appeared first on RedRays - Your SAP Security Solution.

CVE-2026-0501 – SQL Injection in SAP S/4HANA – Financials General Ledger

RedRays Team — Tue, 13 Jan 2026 12:42:35 +0000

HOTNEWS CRITICAL

CVE-2026-0501

CVSS 9.9 CRITICAL

SAP Note #3687749

Vulnerability Summary

Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.

CVSS v3.0 Assessment

Base Score

9.9

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Reason and Prerequisites

Configuration Issue

The affected functionality is only vulnerable if the configuration regarding authorization object S_RFC is incorrect.

Technical Details

The vulnerability allows authenticated attackers to inject malicious SQL commands through insufficiently validated user input. The affected function modules in function group FGL_BCF are intended for internal system use only as part of parallel processing operations.

When authorization object S_RFC is misconfigured, these internal function modules become accessible via external RFC interfaces, creating an attack vector for SQL injection attacks that can:

Read sensitive financial data from the database
Modify critical general ledger records
Delete accounting data and configurations
Execute administrative database operations
Compromise the entire database backend

Affected Software Components

S4CORE version 102

S4CORE version 103

S4CORE version 104

S4CORE version 105

S4CORE version 106

S4CORE version 107

S4CORE version 108

S4CORE version 109

Solution

Permanent Fix

This issue is fixed by generating SQL statements internally within the function module using validated parameters, which prevents user-controlled input from being injected into the query.

There is no impact on existing functionality after implementing the security note. Please implement the corresponding Support Package or the correction instructions provided in SAP Note #3687749.

Workaround

Temporary Mitigation

Please assess the workaround applicability for your SAP landscape prior to implementation. Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends you apply the corrections outlined in the security note.

Mitigation steps:

Review and restrict the authorization object S_RFC to ensure that no external access is permitted to function modules within the function group FGL_BCF
These function modules are intended to be invoked only internally by the system as part of parallel processing and must not be callable via external RFC interfaces
Audit current S_RFC assignments across all user roles and profiles
Remove any unnecessary RFC authorizations that expose internal function modules

Additional Resources

Please refer to FAQ 3700593 for common questions and answers in the context of this SAP Security Note.

Technical Implementation Details

Modified ABAP Objects

The security patch modifies the following ABAP repository objects to remediate the vulnerability:

Class: CL_FGL_BCF_PJO

• Method: CL_FGL_BCF_PJO→_SUBPACKAGE_RFC_PERFORM

• Method: CL_FGL_BCF_PJO→_SUBPACKAGE_ESTIMATE

• Private Section: CL_FGL_BCF_PJO

Function Group: FGL_BCF

• Function Module: FGL_BCF_SQL_EST_SUBPACKAGE

The patch implements parameterized SQL query generation and removes dynamic SQL construction that was vulnerable to injection attacks. Additionally, the RFC access to these internal function modules is restricted to prevent external invocation.

Remediation Actions

Download SAP Note #3687749 View FAQ #3700593

Disclosure Date: January 13, 2026 SAP Security Patch Day

For more information, visit SAP Security Notes

The post CVE-2026-0501 – SQL Injection in SAP S/4HANA – Financials General Ledger appeared first on RedRays - Your SAP Security Solution.

CVE-2026-0500 – Remote Code Execution in SAP Wily Introscope Enterprise Manager

RedRays Team — Tue, 13 Jan 2026 12:36:41 +0000

HOTNEWS CRITICAL

CVE-2026-0500

CVSS 9.6 CRITICAL

SAP Note #3668679

Vulnerability Summary

Due to remote code execution vulnerability in SAP Wily Introscope Enterprise Manager, an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by URL. When a victim clicks on the URL, the accessed Wily Introscope Server could execute commands on the victim's application. This could completely compromise the confidentiality, integrity and availability of the application.

CVSS v3.0 Assessment

Base Score

9.6

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Technical Details

Attack Mechanism

JNLP File Injection leading to Remote Code Execution on WorkStation

The vulnerability exists in the JNLP generation code where request parameters are not properly validated. An unauthenticated attacker can craft a malicious JNLP file and make it accessible via URL. When a victim clicks on this URL, the Wily Introscope Server processes the malicious JNLP file, which can:

Execute arbitrary commands on the victim's workstation
Gain complete control over the application environment
Access sensitive performance monitoring data
Manipulate monitoring configurations and alerts
Establish persistent backdoor access
Launch attacks against other systems in the monitoring infrastructure

Affected Software Components

INTROSCOPE version 10.7

INTROSCOPE version 10.8 SP01

Solution

Recommended Fix

With the fix provided, the JNLP generation code has been updated. All request parameters are now properly handled and validated. This ensures the JNLP is generated correctly and contains no unintended or harmful code, preserving system security and reliability.

Please install Enterprise Manager 10.8 SP01 Patch 2 (10.8.0.220), which contains the fix. Please refer to release note 3247270 for more details.

Alternate Solution

Alternative Approach

Customers can switch to their respective standalone workstation package from the Software Center instead of launching the application via the .jnlp file. The standalone package provides the same application functionality without relying on JNLP launch, completely eliminating this attack vector.

Workaround

There is no workaround available for this vulnerability. Organizations must either apply the security patch or migrate to the standalone workstation package.

Additional Resources

Refer to FAQ document 3702381 regarding the scope and implementation of this SAP Security Note.

Remediation Actions

Download SAP Note #3668679 Release Note #3247270 FAQ #3702381

Disclosure Date: January 13, 2026 SAP Security Patch Day

For more information, visit SAP Security Notes

The post CVE-2026-0500 – Remote Code Execution in SAP Wily Introscope Enterprise Manager appeared first on RedRays - Your SAP Security Solution.

SAP Security Patch Day January 2026

RedRays Team — Tue, 13 Jan 2026 07:21:14 +0000

SAP has released its January 2026 security patch package containing 17 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 9.9, four High priority issues, seven Medium priority fixes, and two Low priority updates. The patches affect SAP S/4HANA, SAP HANA database, SAP NetWeaver, SAP Wily Introscope, and various application components.

DISCOVERED BY REDRAYS

RedRays ABAP Code Scanner Uncovers Critical Authorization Bypass

Our RedRays ABAP Code Scanner successfully identified a critical missing authorization vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. This high-severity flaw allows authenticated users with low privileges to bypass authorization controls and perform unauthorized actions with significant impact on system integrity and availability.

SAP Security Note #3688703 addresses this vulnerability discovered through automated static code analysis. The advisory is scheduled for public release on March 13, 2026.

Vulnerability ID: CVE-2026-0506 CVSS 8.1 HIGH

Total Security Notes
17

HotNews Critical
4

High Priority
4

Medium Priority
7

Low Priority
2

Executive Summary

Critical SQL Injection: CVE-2026-0501 (CVSS 9.9) in SAP S/4HANA Financials General Ledger allows authenticated attackers to execute arbitrary SQL queries with cross-scope impact on confidentiality, integrity, and availability.
Remote Code Execution: CVE-2026-0500 (CVSS 9.6) in SAP Wily Introscope Enterprise Manager enables unauthenticated remote code execution with complete system compromise.
Code Injection Vulnerabilities: CVE-2026-0491 (CVSS 9.1) in SAP Landscape Transformation and CVE-2026-0498 (CVSS 9.1) in SAP S/4HANA allow high-privileged attackers to inject and execute malicious code with cross-scope impact.
Privilege Escalation: CVE-2026-0492 (CVSS 8.8) in SAP HANA database enables authenticated users to escalate privileges and compromise database integrity.

Critical HotNews Vulnerabilities

Critical SQL injection vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) allows authenticated attackers with low privileges to execute arbitrary SQL queries. This maximum severity flaw enables complete system compromise with cross-scope impact on confidentiality, integrity, and availability of financial data.

SAP Note 3687749 — emergency patch required immediately.

Critical remote code execution vulnerability in SAP Wily Introscope Enterprise Manager (WorkStation) allows unauthenticated remote attackers to execute arbitrary code with user interaction. Successful exploitation leads to complete system takeover with cross-scope impact on confidentiality, integrity, and availability.

SAP Note 3668679 — patch within 24 hours.

Critical code injection vulnerability in SAP Landscape Transformation allows high-privileged attackers to inject and execute malicious code remotely. The vulnerability has cross-scope impact enabling complete compromise of confidentiality, integrity, and availability across connected systems.

SAP Note 3697979 — immediate patching required.

Critical code injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise) allows high-privileged attackers to inject and execute malicious code with cross-scope impact. Successful exploitation enables complete system takeover affecting confidentiality, integrity, and availability.

SAP Note 3694242 — emergency patch required.

High Priority Security Issues

Privilege escalation vulnerability in SAP HANA database allows authenticated users with low privileges to escalate their access rights. Successful exploitation leads to complete compromise of confidentiality, integrity, and availability of the database.

SAP Note 3691059 — high priority patch within 48 hours.

OS command injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK allows high-privileged attackers on adjacent networks to execute arbitrary operating system commands with cross-scope impact.

SAP Note 3675151 — schedule urgent patch.

Missing authorization check vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated users to perform unauthorized actions with high impact on integrity and availability.

SAP Note 3688703 — apply high priority patch.

Multiple security vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation) allow authenticated attackers with low privileges to compromise confidentiality and integrity of financial reconciliation data.

SAP Note 3565506 — high priority update.

Medium Priority Vulnerabilities

Missing authorization check in SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) allows authenticated attackers to access and modify EHS data with cross-scope impact.

SAP Note 3681523 — schedule patch.

Cross-Site Scripting vulnerability in SAP Business Connector allows unauthenticated attackers to inject malicious scripts that execute in victims' browsers with cross-scope impact.

SAP Note 3666061 — apply update.

Cross-Site Scripting vulnerability in SAP NetWeaver Enterprise Portal allows unauthenticated attackers to inject and execute malicious scripts with cross-scope impact on confidentiality and integrity.

SAP Note 3687372 — maintenance window.

Open redirect vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog) allows attackers to redirect users to malicious sites for phishing attacks.

SAP Note 3638716 — schedule update.

Missing authorization check in Business Server Pages Application (Product Designer Web UI) allows authenticated users to access restricted product design information.

SAP Note 3677111 — apply fix.

Cross-Site Request Forgery vulnerability in SAP Fiori App (Intercompany Balance Reconciliation) allows attackers to perform unauthorized actions on behalf of authenticated users.

SAP Note 3655229 — routine update.

Information disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation) allows authenticated users to access sensitive financial reconciliation data beyond their authorization.

SAP Note 3655227 — apply patch.

Low Priority Security Updates

Insufficient input handling vulnerability in JNDI Operations of SAP Identity Management allows high-privileged attackers to manipulate JNDI lookups with limited impact on confidentiality and integrity.

SAP Note 3657998 — low priority update.

Obsolete encryption algorithm vulnerability in SAP NetWeaver AS Java UME User Mapping uses weak cryptographic algorithms that may allow information disclosure under complex attack conditions.

SAP Note 3593356 — regular maintenance cycle.

The post SAP Security Patch Day January 2026 appeared first on RedRays - Your SAP Security Solution.

CVE-2025-42877: Memory Corruption in SAP Web Dispatcher

RedRays Team — Thu, 08 Jan 2026 10:47:37 +0000

Deep technical analysis of heap corruption vulnerability in Internet Communication Manager

Critical Security Advisory

SAP Web Dispatcher and Internet Communication Manager (ICM) contain a critical memory corruption vulnerability in the HTTP header parsing function. The vulnerability allows an unauthenticated attacker to cause heap corruption and lead to Denial of Service through specially crafted HTTP requests.

Executive Summary

During analysis of SAP Security Note 3677544, we conducted deep binary analysis of SAP Web Dispatcher patch level 1526 (vulnerable) and 1528 (patched). The research revealed the exact nature of the vulnerability and its exploitation mechanism.

CVE-2025-42877 CVSS 7.5

Memory Corruption in IctHttpOpenMessage - Insufficient error handling during memory allocation for HTTP headers leads to heap corruption. The vulnerable code continues execution with an invalid pointer after allocation failure, causing ICM/Web Dispatcher crash.

Location: sapwebdisp binary, function IctHttpOpenMessage at 0x3919a0

Impact: Denial of Service (High Availability Impact), No Confidentiality/Integrity Impact

Technical Nature of the Vulnerability

► Heap Corruption Mechanism

The vulnerability resides in the IctHttpOpenMessage function, which processes incoming HTTP requests. When parsing each HTTP header, the function calls IctIHttpAddMemoryExtension to allocate 12 bytes of memory.

The problem occurs when:

ICM/Web Dispatcher heap memory is fragmented by multiple requests
An HTTP request arrives with a large number of headers (200-500 count)
For one of the headers, IctIHttpAddMemoryExtension(12) fails to allocate memory
The vulnerable code makes only 1 retry attempt, then CONTINUES EXECUTION
Code attempts to write data to invalid pointer → heap corruption → crash

Vulnerable Code (PL 1526)

; sapwebdisp:0x39220f
mov    0x1430(%rbx),%r8
lea    0xc(%r8),%rdx
cmp    0x1428(%rbx),%rdx
jbe    39223b

; Attempt to allocate 12 bytes
mov    $0xc,%esi
callq  IctIHttpAddMemoryExtension
test   %eax,%eax

jne    39220f    ; Retry ONCE

;  BUG: Continues execution!
mov    0x1430(%rbx),%r8
mov    %r8,%rcx
;  Uses invalid pointer!

Patched Code (PL 1528)

; sapwebdisp:0x391d48
; FIRST attempt
callq  IctIHttpAddMemoryExtension
test   %eax,%eax
je     391dc6  ; Success

; SECOND attempt + validation
cmp    0x1428(%r10),%rsi
jbe    391dcd
callq  IctIHttpAddMemoryExtension

; THIRD attempt + validation
cmp    0x1428(%r10),%rax
callq  IctIHttpAddMemoryExtension
jne    391d93  ; LOOP: keep retrying!

Exploitation: Trigger HTTP Request

To exploit the vulnerability, a series of HTTP requests must be sent with gradually increasing number of headers. This is NOT one huge request, but a sequence of 40+ requests.

Why This Works

Each HTTP header in the request triggers internal SAP parsing, which requires allocation of 12 bytes of memory through IctIHttpAddMemoryExtension().

A request with 350 headers = 350 potential allocations of 12 bytes each. After preliminary heap memory fragmentation (Phase 1), one of these allocations fails.

The vulnerable version performs only 1 retry, which also fails, and then continues using the invalid buffer → heap corruption → ICM crash.

► Exploit Request Structure

Phase 1: Memory Fragmentation (8 seconds)

Send 300+ requests with 100 headers each to fragment ICM heap memory

Phase 2: Trigger (40 requests)

Gradually increase header count: Request 1 → 200 headers, Request 20 → 350 headers, Request 40 → 500 headers

HTTP REQUEST

Will be available after 90 days from SAP Security Patch Day.

Key Request Parameters

Number of headers	200-500 count (gradual increase)
Size of each header	~200 bytes (name + value)
Cookie header	50 values × 100 bytes = ~5 KB
Total header size	~70-100 KB (for 350 headers)
SOAP body	Minimal (~200 bytes, not critical)
Target endpoint	`/sap/bc/soap/rfc?sap-client=001`

► Attack Sequence

Memory Fragmentation (8 sec)

30 threads × 10 requests = 300 requests with 100 headers each

ICM/Web Dispatcher allocates many small memory blocks (12 bytes × 100 headers × 300 requests). Heap becomes fragmented, free memory scattered in small chunks.

Trigger Vulnerability (40 requests)

Gradual increase: 200 → 350 → 500 headers

Each request triggers 200-500 calls to IctIHttpAddMemoryExtension(12). Due to fragmentation, one of the allocations fails. Vulnerable version makes 1 retry (also fails) and CONTINUES with invalid buffer.

Heap Corruption & Crash

Write to invalid pointer

Code attempts to write header data to invalid pointer → heap metadata corruption → adjacent heap chunks corrupted → next malloc/free operation triggers CRASH → ICM/Web Dispatcher terminates → Denial of Service.

Binary Analysis Results

We conducted detailed binary analysis of both SAP Web Dispatcher versions:

Version Comparison

Parameter	Vulnerable (PL 1526)	Patched (PL 1528)
Function address	`0x3919a0`	`0x3914b0`
Function size	0x1f7a (8,058 bytes)	0x20ba (8,378 bytes)
Size change	+320 bytes (+3.97%)
Retry attempts	1 attempt	3+ attempts with loop
Bounds validation	None	After each attempt
Failure handling	Continue anyway	Keep retrying

Protection and Mitigation

Critically Important

If you are using SAP Web Dispatcher or SAP NetWeaver with patch level < 1528, apply the patch immediately. This is not a theoretical vulnerability — it has been confirmed through binary analysis and can be exploited in production environments.

Immediate Actions

Apply SAP Note 3677544 — update kernel to PL 1528 or higher
Restart ICM/Web Dispatcher after applying the patch
Review logs for the last 30 days for signs of exploitation
Monitor for unusual crashes or memory errors

Impact Assessment

7.5

CVSS Score

High Severity

80%

Success Rate

On Vulnerable Systems

DoS

Impact Type

No RCE Found

CVSS 3.1 Vector

                AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
            

Attack Vector:	Network
Attack Complexity:	Low
Privileges Required:	None
User Interaction:	None
Availability Impact:	High

Conclusion

CVE-2025-42877 represents a critical heap corruption vulnerability in SAP Web Dispatcher and ICM, caused by insufficient error handling during memory allocation for HTTP headers.

Our binary analysis revealed that the vulnerability arises because the IctHttpOpenMessage function makes only one retry attempt for memory allocation upon failure, after which it continues execution with an invalid pointer. This leads to heap corruption and ICM/Web Dispatcher crash.

Exploiting the vulnerability requires sending a series of HTTP requests with gradually increasing number of headers (200-500), which under conditions of fragmented heap memory leads to allocation failures and subsequent crash.

Recommendation

Organizations using SAP Web Dispatcher or SAP NetWeaver must immediately apply SAP Security Note 3677544 and update kernel to patch level 1528 or higher. The vulnerability has been confirmed through source code analysis and can be exploited in production environments.

Analysis by: Security Research Team

Publication Date: January 2026

CVE: CVE-2025-42877

SAP Security Note: 3677544

Affected: SAP Web Dispatcher PL < 1528, ICM in SAP NetWeaver, SAP Content Server

The post CVE-2025-42877: Memory Corruption in SAP Web Dispatcher appeared first on RedRays - Your SAP Security Solution.

SAP Security Advisory – CVE-2025-42890

RedRays Team — Wed, 12 Nov 2025 11:27:34 +0000

Critical Hard-Coded Credentials Vulnerability in SQL Anywhere Monitor (Non-GUI)

CVSS Score
10.0

Severity
CRITICAL

Priority
HotNews

Published
Nov 11, 2025

Critical Alert

IMMEDIATE ACTION REQUIRED: SQL Anywhere Monitor contains hardcoded credentials that allow unauthenticated remote attackers to achieve arbitrary code execution with complete system compromise.

Attack Vector: Network (Remote)
Authentication: None Required
Impact: Complete System Compromise (CIA Triad: HIGH/HIGH/HIGH)
Exploitation: Active exploitation possible

Executive Summary

SAP SQL Anywhere Monitor (Non-GUI) version 17.0 contains hardcoded credentials embedded directly in the application code, specifically in the migrator.jar file. These credentials provide unauthenticated attackers with the ability to access the monitoring database (samonitor.db) and execute arbitrary code without any authentication requirements.

The vulnerability exists because SAP distributed a pre-configured monitoring database with default credentials that were never meant to be changed by users. This poses a maximum severity risk (CVSS 10.0) as it allows complete system takeover from remote attackers over the network.

Vulnerability Details

Affected Component: SAP SQL Anywhere Monitor (Non-GUI)
Affected Versions: SQL Anywhere 17.0 (all builds prior to 17.0 SP1 PL20 Build 8039)
SAP Note: 3666261

Technical Analysis

The vulnerability stems from hardcoded database credentials embedded in the com.ianywhere.serverMonitor.migrator.MonitorMigrator Java class within migrator.jar. The credentials are used to construct JDBC connection strings for accessing the SQL Anywhere Monitor database.

Evidence: Hardcoded Credentials Found

Location: migrator.jar → com/ianywhere/serverMonitor/migrator/MonitorMigrator.class

Hex Dump Evidence:

Username (UID):
Hex: 3b 55 49 44 3d 01 00 04 6d 64 62 61
ASCII: ;UID=....mdba
Value: mdba

Password (PWD):
Hex: 3b 50 57 44 3d 01 00 52 45 44 52 41 59 53 
ASCII: ;PWD=....sql%REDACTED%
Value: sql%REDACTED%

JDBC Connection String Pattern:

jdbc:sql%REDACTED%where:START=dbsrv17 -gd all -hV;ENG=...;
  DBF=...;DBN=samon_src;UID=mdba;ASTART=YES

jdbc:sql%REDACTED%where:ENG=samon_dest;PWD=sql%REDACTED%

Attack Scenario

Attacker identifies SQL Anywhere 17.0 installation with Monitor enabled
Attacker connects to the monitoring database using credentials: mdba / sql%REDACTED%
Attacker gains full database access and can execute arbitrary SQL commands
Through database access, attacker achieves code execution on the host system
Complete system compromise with access to all data and system resources

Impact Assessment

Confidentiality: HIGH - Complete access to monitoring data and potentially all database content
Integrity: HIGH - Ability to modify database content, configuration, and system files
Availability: HIGH - Capability to disrupt or destroy database and monitoring services
Scope: CHANGED - Impact extends beyond the vulnerable component to connected systems

Root Cause Analysis

Why This Vulnerability Exists

According to SAP Note 3666261, the SQL Anywhere Monitor was provided as a mitigation for Adobe Flash deprecation. To allow users to continue using monitoring functionality without migrating to SQL Anywhere Cockpit, SAP included a pre-configured monitoring database (samonitor.db) with the installation package.

The Problem: This pre-configured database was distributed with hardcoded default credentials that were never intended to be changed by end users. Environments that deployed SQL Anywhere Monitor without implementing additional security controls were left vulnerable to unauthorized access.

Fix Analysis: Build 8038 → Build 8039

Build 8038 (VULNERABLE)

samonitor.db (5.9 MB) - Pre-configured database with credentials
samonitor.db1 - Transaction log
migrator.jar (60 KB) - Contains hardcoded credentials
Monitor fully functional with default credentials

Build 8039 (PATCHED)

samonitor.sql (18 KB) - Schema definition only
samonitor.sql1 - Empty schema template
migrator.jar (58 KB) - Credentials removed
Monitor database completely removed

Mitigation Strategy

SAP's fix takes a complete removal approach rather than attempting to change default credentials. The patch:

Removes the pre-configured samonitor.db database entirely from the distribution
Provides only SQL schema definitions (samonitor.sql) for manual database creation
Updates migrator.jar to remove hardcoded credentials
Forces administrators to manually create monitoring databases with unique credentials
Deletes existing monitor databases during patch installation (with data unload option)

Remediation Actions

Priority 1: Emergency Patch Deployment

Install SQL Anywhere 17.0 SP1 PL20 Build 8039 immediately
Download: SAP Software Downloads
Documentation: SAP Note 3666261

Priority 2: Immediate Workaround (If Patching Not Immediately Possible)

# Stop SQL Anywhere Monitor service
dbstop -c "ENG=samonitor;UID=dba;PWD=sql"

# Locate and delete all samonitor database files
find / -name "samonitor*.db" -type f -delete
find / -name "samonitor*.log" -type f -delete

# Verify deletion
find / -name "samonitor*" -type f

Priority 3: Network-Level Protection

Block network access to SQL Anywhere Monitor ports (default: TCP 2638, 2639)
Implement firewall rules restricting access to trusted management networks only
Enable network-level authentication and encryption (TLS)
Monitor for suspicious connection attempts to monitoring database

Priority 4: Migration Path

Migrate to SQL Anywhere Cockpit for secure monitoring functionality.
SQL Anywhere Cockpit provides modern monitoring capabilities without the security risks of the deprecated Monitor component.

Detection and Verification

1. Identify SQL Anywhere Installations

# Check SQL Anywhere version
dbversion -q

# Vulnerable if output shows: Version 17.0 Build < 8039

2. Check for Monitor Database Files

# Search for samonitor database files
find /opt/sql%REDACTED%where17 -name "samonitor.db"
dir C:\SAP\sql%REDACTED%where17 /s /b | findstr samonitor.db

# If files exist: VULNERABLE

3. Verify Patch Installation

# After patching, verify:
ls -la *samonitor*

# Expected output (Build 8039+):
# samonitor.sql (schema only, ~18KB)
# NO samonitor.db files should exist

4. Security Audit

Review firewall logs for unauthorized connection attempts to ports 2638, 2639
Check SQL Anywhere audit logs for suspicious authentication attempts
Search for user accounts: mdba, dba with recent activity
Review application logs for unusual database queries or admin operations

Timeline

Nov 11, 2025

CVE-2025-42890 Published — SAP releases security note 3666261

Nov 11, 2025

Patch Released — SQL Anywhere 17.0 SP1 PL20 Build 8039 available

Nov 12, 2025

Technical Analysis — Hardcoded credentials identified in migrator.jar

References and Resources

SAP Security Note 3666261 — Official SAP security advisory
CVE-2025-42890 — CVE database entry
SAP Software Downloads — Download patched version
SQL Anywhere 17.0 Documentation — Product documentation
Component: BC-SYB-SQA-ADM (SQL Anywhere - Admin Tools)
Affected Versions: SYBASE_SQL_ANYWHERE_SERVER 17.0

The post SAP Security Advisory – CVE-2025-42890 appeared first on RedRays - Your SAP Security Solution.

SAP security patches November 2025

RedRays Team — Wed, 12 Nov 2025 09:40:03 +0000

SAP has released its November 2025 security patch package containing 20 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes three HotNews vulnerabilities with CVSS ratings of 10.0 and 9.9, one High priority issue, fourteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, SAP Solution Manager, SAP Business Connector, SAP HANA, CommonCryptoLib, and various application components.

Total Security Notes
20

HotNews Critical
3

High Priority
1

Medium Priority
14

Low Priority
2

Executive Summary

Maximum Severity Insecure Deserialization: CVE-2025-42944 (CVSS 10.0) in NetWeaver AS Java RMI-P4 and CVE-2025-42890 (CVSS 10.0) in SQL Anywhere Monitor allow unauthenticated remote code execution with complete system compromise across connected environments.
Critical Code Injection: CVE-2025-42887 (CVSS 9.9) in SAP Solution Manager enables authenticated attackers to execute arbitrary code with full system takeover and cross-scope impact.
Cryptographic Vulnerability: CVE-2025-42940 (CVSS 7.5) memory corruption in SAP CommonCryptoLib causes denial of service affecting cryptographic operations across SAP landscape.
Multiple Injection Vectors: JNDI injection in NetWeaver Portal, OS command injection in Business Connector, SQL injection in Starter Solution, and code injection in HANA JDBC Client requiring immediate attention.

Critical HotNews Vulnerabilities

Security hardening for insecure deserialization vulnerability in SAP NetWeaver AS Java allows unauthenticated remote attackers to execute arbitrary code without authentication. This maximum severity flaw enables complete system compromise with full confidentiality, integrity, and availability impact across connected environments.

SAP Note 3660659 — emergency patch required immediately.

Critical insecure key and secret management vulnerability in SQL Anywhere Monitor (Non-Gui) allows unauthenticated remote attackers to compromise cryptographic secrets. Successful exploitation leads to complete system takeover with maximum impact on confidentiality, integrity, and availability across connected systems.

SAP Note 3666261 — patch within 24 hours.

Critical code injection vulnerability in SAP Solution Manager allows authenticated attackers with low privileges to inject and execute malicious code. The vulnerability has cross-scope impact enabling complete compromise of confidentiality, integrity, and availability across connected systems.

Technical Details: The vulnerability affects function module DSVAS_CHECK_SDCC_IMPORT_PARAMS in function group DSVAS_DEV_DL. Vulnerable component: SAP Solution Manager (ST) Release 720, correction instructions 0020751259 and 0001694331. The flaw allows parameter manipulation during import operations, enabling code injection through improperly validated BDLFUPIMP table entries where IS_DEFAULT is initial.

SAP Note 3668705 — immediate patching required.

High Priority Security Issues

Memory corruption vulnerability in SAP CommonCryptoLib allows unauthenticated remote attackers to cause denial of service conditions. As CommonCryptoLib is a foundational cryptographic library used across the SAP landscape, this vulnerability has widespread impact on availability of cryptographic operations.

SAP Note 3633049 — high priority patch within 48 hours.

Medium Priority Vulnerabilities

OS command injection vulnerability in SAP Business Connector allows high-privileged attackers on adjacent networks to execute arbitrary operating system commands leading to complete system compromise.

SAP Note 3665900 — schedule patch.

Code injection vulnerability in SAP HANA JDBC Client allows high-privileged local attackers to inject malicious code with user interaction, resulting in cross-scope impact on availability and partial impact on confidentiality and integrity.

SAP Note 3643385 — medium priority.

Path traversal vulnerability in SAP Business Connector enables high-privileged attackers on adjacent networks to access files outside intended directories, potentially leading to unauthorized data access and system compromise.

SAP Note 3666038 — apply patch.

JNDI injection vulnerability in SAP NetWeaver Enterprise Portal allows unauthenticated remote attackers to manipulate JNDI lookups, potentially leading to unauthorized information disclosure and data manipulation.

SAP Note 3660969 — maintenance window.

Reflected Cross-Site Scripting vulnerability in SAP Business Connector allows unauthenticated attackers to inject malicious scripts that execute in victims' browsers with cross-scope impact.

SAP Note 3665907 — apply update.

Open redirect vulnerability in SAP Business Connector allows unauthenticated attackers to redirect users to malicious sites, enabling phishing attacks and credential theft with cross-scope impact.

SAP Note 3662000 — schedule update.

Open redirect vulnerabilities in SAP S/4HANA E-Recruiting BSP component enable unauthenticated attackers to redirect users to external malicious sites for phishing and social engineering attacks.

SAP Note 3642398 — routine update.

Missing authentication vulnerability in SAP HANA 2.0 hdbrss component allows unauthenticated remote attackers to access sensitive information with cross-scope impact on confidentiality.

SAP Note 3639264 — apply fix.

Information disclosure vulnerability in SAP GUI for Windows allows high-privileged local users to access sensitive information with cross-scope impact requiring user interaction.

SAP Note 3651097 — apply update.

SQL injection vulnerability in SAP Starter Solution (PL SAFT) allows authenticated attackers with low privileges to manipulate SQL queries, leading to unauthorized data access and modification.

SAP Note 2886616 — schedule patch.

Information disclosure vulnerability in SAP NetWeaver Application Server Java allows unauthenticated remote attackers to access low-level sensitive information from the system.

SAP Note 3643603 — apply patch.

Information disclosure vulnerability in SAP Business One Service Layer Discovery (SLD) component allows unauthenticated remote attackers to access sensitive system information.

SAP Note 3652901 — routine update.

Missing authorization check vulnerability in SAP NetWeaver Application Server for ABAP allows authenticated users to access information beyond their authorization level.

SAP Note 3643337 — apply fix.

Missing authorization check in SAP S4CORE Manage Journal Entries application allows authenticated users with low privileges to access sensitive financial information.

SAP Note 3530544 — schedule update.

Low Priority Security Updates

Cache poisoning vulnerability through header manipulation in SAP Fiori for SAP ERP allows authenticated attackers with low privileges to manipulate cached content under complex attack conditions.

SAP Note 3426825 — regular maintenance cycle.

Insecure file operations vulnerability in SAP NetWeaver Application Server for ABAP Migration Workbench allows high-privileged administrators to perform limited integrity impact operations.

SAP Note 3634053 — low priority update.

The post SAP security patches November 2025 appeared first on RedRays - Your SAP Security Solution.

RedRays – Your SAP Security Solution

SAP Security Patch Day – March 2026

Executive Summary

Vulnerabilities Discovered by RedRays

Critical HotNews Vulnerabilities

Code Injection vulnerability in SAP Quotation Management Insurance application (FS-QUO)

Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

High Priority Security Issues

Denial of service (DOS) in SAP Supply Chain Management

Medium Priority Vulnerabilities

SQL Injection Vulnerability in SAP NetWeaver (Feedback Notification)

Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP

Missing Authorization check in SAP NetWeaver Application Server for ABAP

DOM-based Cross-Site Scripting (XSS) Vulnerability in SAP Business One (Job Service)

Missing Authorization check in SAP Business Warehouse (Service API)

Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal

Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0

Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)

Missing Authorization check in SAP NetWeaver Application Server for ABAP

DLL Hijacking vulnerability in SAP GUI for Windows with active GuiXT

Denial of Service due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Services)

Low Priority Security Updates

Missing Authorization check in SAP NetWeaver Application Server for ABAP

SAP Security Patch Day February 2026

Executive Summary

Critical HotNews Vulnerabilities

Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

High Priority Security Issues

XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform

Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)

Denial of service (DOS) in SAP Supply Chain Management

Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform

Denial of service (DOS) in SAP BusinessObjects BI Platform

Race Condition in SAP Commerce Cloud

Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform

Medium Priority Vulnerabilities

Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform (AdminTools)

Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA

Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)

Multiple vulnerabilities in BSP Applications of SAP Document Management System

Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Race condition vulnerability in SAP Commerce Cloud

Information Disclosure Vulnerability in SAP Business One (B1 Client Memory Dump Files)

Information Disclosure vulnerability in SAP Commerce Cloud

Missing authorization check in SAP Business Workflow

Missing Authorization Check in ABAP based SAP systems

Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)

Insecure Deserialization vulnerability in SAP NetWeaver (JMS service)

Missing Authorization Check in SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application)

Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations)

Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services)

Missing Authorization check in a function module in SAP Support Tools Plug-In

Low Priority Security Updates

CRLF Injection vulnerability in SAP NetWeaver Application Server Java

Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)

Top 10 ABAP Code Vulnerabilities and Common S/4HANA Migration Mistakes

Why ABAP Security Matters

Common Risk Areas

Top 10 Vulnerabilities in Custom ABAP Code

1. Missing Authorization Checks

2. SQL Injection in Open SQL and Native SQL

3. ABAP Code Injection

4. Cross-Site Scripting (XSS) in Web Dynpro and Fiori

5. Insecure Remote Function Calls (RFC)

6. Directory Traversal

7. Insecure Deserialization

8. Hard-coded Secrets

9. Missing Audit Trails

10. Structural Defects and Performance Issues (ABAP Crimes)

Critical S/4HANA Migration Mistakes

Mistake 1: Neglecting Role and Authorization Redesign

Mistake 2: No "Clean Core" Strategy

Mistake 3: Data Integrity and Confidentiality Issues During Migration

Mistake 4: Insufficient Attention to OData and Fiori Security

Protection Strategy and Automation Role

Using ABAP Test Cockpit (ATC) and RedRays Solutions

Secure Migration Recommendations

Conclusion

Protect Your SAP Systems from ABAP Code Vulnerabilities