CVE-2025-0063
📋 TL;DR
SAP NetWeaver AS ABAP and ABAP Platform have an authorization bypass vulnerability in RFC function modules. Attackers with basic user privileges can execute unauthorized database operations on Informix databases, potentially compromising all data. This affects organizations running vulnerable SAP systems.
💻 Affected Systems
- SAP NetWeaver AS ABAP
- SAP ABAP Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Informix database with full data exposure, data manipulation, and service disruption through unauthorized RFC function execution.
Likely Case
Unauthorized data access and modification by internal users or attackers who have obtained basic credentials.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are implemented.
🎯 Exploit Status
Requires basic user credentials. Exploitation involves calling specific RFC function modules without proper authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3550816
Vendor Advisory: https://me.sap.com/notes/3550816
Restart Required: No
Instructions:
1. Download SAP Note 3550816 from SAP Support Portal. 2. Apply the correction instructions in the note. 3. Test in development environment first. 4. Deploy to production systems during maintenance window.
🔧 Temporary Workarounds
Restrict RFC Function Module Access
allImplement authorization checks and restrictions on vulnerable RFC function modules using SAP authorization objects.
Use transaction SU24 to maintain authorization objects for RFC function modules
Review and adjust authorization profiles in transaction PFCG
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAP systems from untrusted networks
- Enforce least privilege access controls and monitor for unusual RFC function module calls
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3550816 is applied using transaction SNOTE or check system version against affected releases in the SAP note.Check Version:
Execute transaction SM51 to view system information or check SAP_BASIS component versionVerify Fix Applied:
Verify SAP Note 3550816 implementation status and test authorization checks on affected RFC function modules.📡 Detection & Monitoring
Log Indicators:
- Unusual RFC function module calls in security audit logs
- Failed authorization checks for RFC functions
- Multiple Informix database operations from single user sessions
Network Indicators:
- Unusual RFC traffic patterns
- RFC calls to sensitive function modules from unexpected sources
SIEM Query:
source="sap_audit_log" AND (event_type="RFC_CALL" AND function_module IN [list_of_vulnerable_functions])