CVE-2025-43010
📋 TL;DR
This vulnerability allows authenticated SAP users with standard authorization to remotely execute a function module that can replace arbitrary ABAP programs, including SAP standard programs. It affects SAP S/4HANA Cloud Private Edition and on-premise installations with the SCM Master Data Layer (MDL). Attackers can compromise application integrity and availability through unauthorized program modifications.
💻 Affected Systems
- SAP S/4HANA Cloud Private Edition
- SAP S/4HANA on Premise
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could replace critical SAP standard programs with malicious code, causing complete system compromise, data corruption, and extended service disruption.
Likely Case
Attackers with standard SAP access could modify business logic, disrupt operations, or implant backdoors in ABAP programs affecting specific business processes.
If Mitigated
With proper authorization controls and input validation, only authorized administrators could execute the function module, limiting impact to legitimate maintenance activities.
🎯 Exploit Status
Exploitation requires authenticated access with standard SAP authorization. The vulnerability involves executing a specific function module with insufficient input validation and authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3600859 for specific patch information
Vendor Advisory: https://me.sap.com/notes/3600859
Restart Required: Yes
Instructions:
1. Review SAP Note 3600859 for specific patch details
2. Apply the SAP Security Patch Day updates
3. Restart affected SAP systems
4. Verify the patch has been applied correctly
🔧 Temporary Workarounds
Restrict Function Module Access
allTemporarily restrict access to the vulnerable function module using SAP authorization objects
Use transaction SU24 to adjust authorization checks
Modify authorization object S_RFC for the specific function module
Implement Input Validation
allAdd custom input validation for the vulnerable function module parameters
Create custom ABAP validation in function module exit or BAdI
🧯 If You Can't Patch
- Implement strict authorization controls to limit who can execute the vulnerable function module
- Monitor and audit all function module executions, particularly those modifying ABAP programs
🔍 How to Verify
Check if Vulnerable:
Check if your SAP system has the SCM MDL component and review authorization settings for the vulnerable function moduleCheck Version:
Use transaction SM51 to check system information or run report RSABAP_SOURCE_SCAN for component detailsVerify Fix Applied:
Verify that SAP Note 3600859 has been applied using transaction SNOTE and test that unauthorized users cannot execute the function module📡 Detection & Monitoring
Log Indicators:
- Unusual function module executions in security audit logs
- ABAP program modification events by non-administrative users
- Failed authorization checks for function module access
Network Indicators:
- Unusual RFC calls to the vulnerable function module
- Increased traffic to SAP system from unexpected sources
SIEM Query:
source="sap_audit_log" AND (event="function_module_execution" OR event="program_modification") AND user!="administrator"