delete and insert data directly in the SAP Database;creating SAP users with SAP_ALL; download password hashes; modify business processes.”Historically, it has been difficult to apply patches to these complex systems, and many organizations will require careful (and slow) testing before the patches are deployed in production,” Johannes Ullrich, dean of research at the SANS Institute, told CSO.”ERP systems like SAP are a serious and often underappreciated target. S/4HANA is an in-memory database supporting the SAP ERP system. Compromising it could give an attacker not only access to the data stored in the SAP system, but sometimes, more dangerously, an attacker could modify the data, leading to bad business decisions. These data modification attacks are more stealthy and very difficult to detect and counter.””This vulnerability could fill in an important gap in an attacker’s arsenal to attack these systems,” he added. “They will still need some credentials, but they could be low-level credentials they found via some other attack.”
Platform complexity leads to potential vulnerabilities: SAP S/4HANA is no stranger to vulnerabilities. In April, for example, a cross-site request forgery vulnerability (CVE-2025-31328) was discovered in S/4HANA’s Learning Solution module. In February, an open redirect vulnerability was found in S/4HANA’s Extended Application (XS) Services Advanced Model (CVE-2025-24868) that allows an unauthenticated attacker to craft a malicious link that redirects an unwitting victim to a malicious website.Eric Mehler, a German-based CISO who blogs on common security vulnerabilities in S/4HANA, has written that the complexity of the platform can introduce potential security vulnerabilities, often due to misconfiguration or oversight. These issues include keeping default SAP accounts that still use default passwords and excessive user permissions, allowing unencrypted SAP traffic or traffic with outdated protocols like TLS 1.0, insufficient traffic monitoring and logging, and insecure ABAP programming practices.”Threat actors are very active in targeting SAP applications,” Onapsis’ Perez-Etchegoyen said. Last month, a weaponized exploit for a zero day vulnerability in SAP NetWeaver (CVE-23025-31324, a missing authentication flaw) was allegedly released by a gang, he noted. “So it’s more important than ever for organizations to integrate SAP security into their IT security landscape” and apply patches as soon as possible.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4051870/alert-exploit-available-to-threat-actors-for-sap-s-4hana-critical-vulnerability.html
