A critical remote code execution (RCE) vulnerability has been identified in the Characteristic Propagation function of SAP S/4HANA and SAP SCM. This flaw, with a CVSS score of 9.9, could allow an unauthenticated remote attacker to take complete control of affected SAP systems. Successful exploitation would severely impact core business operations, including enterprise resource planning and supply chain management, leading to significant data breaches and operational disruption.

The vulnerability exists within the Characteristic Propagation component, which is responsible for handling and distributing object characteristics across the SAP environment. A lack of proper input validation allows a remote, unauthenticated attacker to send a specially crafted request to the service. This malicious request can trigger a buffer overflow or command injection, leading to the execution of arbitrary code on the underlying server with the privileges of the SAP service account. Exploitation requires network access to the vulnerable SAP application service but does not require any user credentials or interaction.

This vulnerability is rated as Critical severity with a CVSS score of 9.9. Exploitation could lead to a complete compromise of the confidentiality, integrity, and availability of the affected SAP systems. The potential business impact is severe and includes:

• Data Theft: Unauthorized access to and exfiltration of highly sensitive business data, such as financial records, customer information, pricing, and intellectual property.
• System Sabotage: Malicious modification or deletion of critical data, leading to disruption of supply chain logistics, manufacturing processes, and financial reporting.
• Complete System Downtime: An attacker could shut down core ERP and SCM systems, causing a complete halt to business operations that rely on them.
• Lateral Movement: Compromised SAP systems could be used as a pivot point to launch further attacks across the corporate network.

Immediate Action: Organizations must prioritize the deployment of the official security patches provided by SAP for all affected S/4HANA and SCM systems. Due to the critical nature of this vulnerability, these patches should be applied on an emergency basis according to the organization's change management process.

Proactive Monitoring: Security teams should actively monitor for signs of attempted exploitation. This includes reviewing SAP security audit logs for anomalous calls to the Characteristic Propagation function, monitoring for unexpected network traffic patterns to SAP application servers, and implementing alerts for suspicious child processes spawned by the SAP service (e.g., cmd.exe, /bin/sh, powershell.exe).

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk:

• Restrict network access to the vulnerable SAP services at the network perimeter and internally, allowing connections only from trusted, authorized application hosts.
• Deploy an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) with rules or signatures designed to detect and block exploit attempts against this specific vulnerability.
• Ensure the SAP service account runs with the principle of least privilege to limit the impact of a potential compromise.

Public Exploit Available: false

This vulnerability represents a critical and immediate threat to the organization. We strongly recommend that all vulnerable SAP S/4HANA and SAP SCM systems be patched immediately. This activity should be treated with the highest priority. If patching cannot be performed right away, the compensating controls outlined above, particularly network segmentation, must be implemented as a temporary measure. The potential for complete system compromise and severe business disruption far outweighs the operational cost of applying an emergency patch.