CVE-2025-30013
📋 TL;DR
SAP ERP BW Business Content contains function modules vulnerable to OS command injection, allowing attackers to execute arbitrary commands on the underlying operating system when exploited with elevated privileges. This affects SAP systems running vulnerable versions of ERP BW Business Content, potentially compromising the entire SAP environment and connected systems.
💻 Affected Systems
- SAP ERP BW Business Content
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary OS commands with SAP application server privileges, potentially leading to data theft, system destruction, or lateral movement to other systems.
Likely Case
Limited command execution within SAP application server context, potentially accessing sensitive business data or disrupting SAP operations.
If Mitigated
Attack contained to SAP application layer with no OS command execution due to input validation and privilege restrictions.
🎯 Exploit Status
Requires authenticated access to SAP system and knowledge of vulnerable function modules; exploitation depends on specific configuration and privileges
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3571093
Vendor Advisory: https://me.sap.com/notes/3571093
Restart Required: Yes
Instructions:
1. Download SAP Note 3571093 from SAP Support Portal. 2. Apply the correction instructions in the note. 3. Restart affected SAP instances. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Restrict Function Module Access
allLimit access to vulnerable function modules using SAP authorization objects
Use transaction SU24 to restrict S_RFC authorization for affected function modules
Input Validation Enhancement
allImplement additional input validation in custom code calling vulnerable function modules
Review and harden ABAP code that calls function modules with external command execution
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAP systems from critical infrastructure
- Enforce least privilege access controls and monitor for unusual function module executions
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3571093 is applied using transaction SNOTE or check system status in SAP Support PortalCheck Version:
Use transaction SM51 to check SAP system version and applied notesVerify Fix Applied:
Verify SAP Note 3571093 implementation status and test that vulnerable function modules no longer accept malicious input📡 Detection & Monitoring
Log Indicators:
- Unusual function module executions in SAP security audit log (SM19/SM20)
- OS command execution patterns in system logs
- Failed authorization checks for S_RFC objects
Network Indicators:
- Unusual outbound connections from SAP application servers
- Suspicious RFC calls between SAP systems
SIEM Query:
source="sap_audit_log" AND (event_type="function_module_execution" AND module_name IN [vulnerable_modules])