A critical vulnerability has been identified in multiple SAP products, including S/4HANA, which allows an attacker with administrative access to inject and execute malicious code. This flaw can be exploited to bypass security controls, leading to a complete compromise of the affected SAP system. Successful exploitation could result in significant data breaches, operational disruption, and a complete loss of system confidentiality, integrity, and availability.

This vulnerability exists within a function module exposed via Remote Function Call (RFC) in SAP S/4HANA systems. An authenticated attacker with administrative privileges can send specially crafted requests to this function module to inject and execute arbitrary ABAP code or operating system (OS) commands. The flaw improperly validates input, allowing the attacker to bypass standard authorization checks and gain unrestricted control over the underlying SAP application server and operating system, effectively creating a persistent backdoor.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could lead to a full system compromise, posing a severe risk to the organization. The potential consequences include unauthorized access to and exfiltration of sensitive business data (e.g., financial records, customer information, intellectual property), manipulation of critical business transactions, and complete disruption of enterprise resource planning (ERP) operations. The financial and reputational damage from such an incident would be substantial, undermining trust and potentially leading to regulatory penalties.

Immediate Action:

• Immediately apply the security patches provided by SAP. Refer to the official SAP security advisory for specific patch details corresponding to your product versions.
• Prioritize patching for internet-facing or business-critical systems.
• After patching, validate that the updates have been successfully applied and the vulnerability is mitigated.

Proactive Monitoring:

• Review SAP security audit logs for unusual or unauthorized RFC calls, particularly to the affected function module.
• Monitor for any suspicious OS-level commands being executed by SAP service accounts (e.g., <sid>adm).
• Implement enhanced logging and monitoring for all users with administrative privileges to detect anomalous activity patterns.
• Analyze network traffic for unexpected RFC connections or payloads.

Compensating Controls:

• If immediate patching is not feasible, restrict network access to RFC ports from untrusted sources.
• Enforce the principle of least privilege by strictly limiting the number of users with administrative roles.
• Implement multi-factor authentication (MFA) for all administrative accounts to add an extra layer of security.
• Deploy an Intrusion Prevention System (IPS) with rules capable of detecting and blocking malicious RFC traffic patterns.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the potential for complete system compromise, organizations must treat this vulnerability with the highest priority. Although an attacker requires pre-existing administrative credentials, this flaw allows for a significant escalation of access beyond normal administrative functions, including direct OS control. We strongly recommend that all affected SAP systems are patched immediately to prevent exploitation. While this CVE is not currently on the CISA KEV list, its severity makes it a likely candidate for future inclusion, and proactive remediation is the most effective defense.