A critical vulnerability has been identified in SAP Landscape Transformation (SLT) products, assigned a CVSS score of 9.9. An attacker with existing user credentials can exploit this flaw to inject and execute arbitrary code on the SAP system, potentially leading to a complete compromise of business data, disruption of critical operations, and full administrative control over the affected application. Immediate patching is required to mitigate the severe risk to the organization's core business functions.

The vulnerability exists within a function module exposed via the Remote Function Call (RFC) interface in SAP SLT. An authenticated attacker, even with low-level user privileges, can send a specially crafted RFC request to this function module. Due to insufficient input validation, the attacker's malicious payload is interpreted and executed as ABAP code, resulting in Remote Code Execution (RCE) on the SAP application server. This allows the attacker to operate with the privileges of the SAP system service, enabling them to read, modify, or delete sensitive business data, manipulate system processes, and escalate their privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Exploitation could have catastrophic consequences for the organization. An attacker could gain complete control over the SAP system, leading to the theft or manipulation of highly sensitive financial, customer, and employee data. This could result in significant financial fraud, disruption of mission-critical business processes like supply chain and manufacturing, severe reputational damage, and major regulatory fines for non-compliance with standards such as SOX and GDPR. The ability to execute code directly on the SAP server effectively hands the keys to the kingdom to an attacker, posing an existential threat to business integrity and continuity.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor immediately. Administrators must update SAP Landscape Transformation Multiple Products to the latest version that addresses this vulnerability. After patching, it is crucial to review system access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of RFC traffic. Specifically, security teams should look for unusual or unauthorized calls to function modules, especially from unexpected user accounts or source systems. Review the SAP Security Audit Log (transaction SM20) for suspicious activities, such as unauthorized code execution, privilege escalation attempts, or unexpected changes to system configurations. Monitor for the creation of new or modified ABAP programs outside of normal development cycles.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce the attack surface:

• Strictly review and limit RFC access to the affected systems. Disable RFC access for users who do not explicitly require it.
• Enforce strong authorization checks on the S_RFC authorization object to restrict which function modules can be executed by specific users.
• Segment the network to isolate the SLT system from less trusted parts of the corporate network.
• Deploy an SAP-aware Intrusion Prevention System (IPS) or Web Application Firewall (WAF) to inspect RFC traffic for malicious patterns and block potential exploit attempts.

Public Exploit Available: false

This vulnerability represents a critical and immediate threat to the organization. Due to the 9.9 CVSS score and the potential for complete system compromise, we strongly recommend that immediate action is taken to apply the vendor-supplied patches across all affected SAP SLT systems. This vulnerability should be treated as the highest priority for your SAP security and basis teams. While it is not yet on the CISA KEV list, its severity makes it a prime candidate for future inclusion. If patching is delayed for any reason, the compensating controls and proactive monitoring recommendations must be implemented without delay to mitigate risk.