This blog post provides insight into a serious vulnerability discovered and reported by CAIBERP Research, which was patched on the April 2025 SAP Patch Day.
While performing an automated code analysis of an SAP S/4HANA stack with our solution Relevan-C for a client, we discovered a potential Remote Code Execution (RCE) vulnerability in SAP's standard code. After a short analysis, it turned out that the vulnerability could be exploited by any user with sufficient S_RFC privileges, i.e. privileges to call SAP's function modules remotely.
Such privileges are more or less common in customer installations. In other words, on an average customer installation, a number of users could use this vulnerability to install and run arbitrary ABAP code on an SAP server. And the vulnerability was even capable of overwriting arbitrary standard SAP programs. Such a vulnerability gives an attacker complete control over the affected SAP system. Read and write access to all data, the ability to sabotage the system and deploy malware.
Curiously, all the affected function module did was receive code and a program name via parameters and create/overwrite the specified program with the given code. That's probably why SAP itself called this vulnerability a backdoor. A vulnerability like this qualifies as an excellent malware entry vector - EV03 according to our list of potential malware entry vectors. It is also an excellent way for lateral movement of malware in an SAP landscape. And, of course, very useful for a human attacker.
Please note that, according to the note text 'Private Cloud or On-Premises', this vulnerability affects not only on-premises systems but also SAP RISE installations.
As this vulnerability is highly critical (CVSS score 9.9), we decided with the customer to report it to SAP.
SAP confirmed it and promptly issued a fix. Well, actually two fixes:
But some questions remain. How can modern platforms like S/4HANA and RISE contain such a serious backdoor?
Checking the creation/change date of the function module revealed that it was more than 10 years old. This means that this vulnerability went undetected for a decade, despite SAP's security QA measures, including their CVA solution. Was the code so complex and difficult to inspect that testers and automated solutions could not find the flaw? Actually, no. The function module consists of less than 40 lines of code, the programming is straightforward and the flaw absolutely obvious. No complex control flow, no subroutines, no exits.
Are SAP's testers and SAP's CVA solution both missing trivial vulnerability patterns - which we consider unlikely - or has the function module in question never been scanned/checked?
Both alternatives leave us somewhat perplexed.