Ongoing analysis of third-party solutions using our advanced Relevan-C scanner has revealed alarming cybersecurity risks for organizations relying on these applications within their SAP ecosystems. This interim report expands on our earlier findings, highlighting the pervasive vulnerabilities and intentional backdoors embedded in some third-party solutions. These issues pose significant threats to the integrity, confidentiality, and availability of critical SAP systems. Below, we delve into the nature of these risks, their implications, and the urgent need for organizations to enhance their evaluation processes for third-party software.
As outlined in our initial blog post on third-party solution risks, many vendors supplying SAP-integrated applications appear to prioritize functionality over security. This oversight results in severe vulnerabilities that can cripple an organization’s SAP infrastructure. Our Relevan-C scanner has consistently identified high-risk issues, such as ABAP command injections and OS command execution vulnerabilities, which could allow attackers to:
- Compromise SAP installations: Malicious actors could exploit these vulnerabilities to disrupt critical business processes.
- Introduce malware: Infected systems could serve as entry points for ransomware or other malicious payloads.
- Manipulate or extract data: Unauthorized access to sensitive data could lead to significant financial and reputational damage.
These vulnerabilities are not limited to niche or lesser-known vendors. Surprisingly, they also affect solutions provided by security solution providers and even tools developed by the Big Four accounting firms, which are often assumed to adhere to rigorous security standards. The root cause of these issues often lies in a lack of expertise or focus on secure coding practices among vendors. This knowledge gap creates a dangerous blind spot for organizations deploying these solutions.
As discussed in our second blog post, many organizations fail to adequately test third-party applications before integrating them into their SAP environments. For those unfamiliar with SAP technologies, it’s important to understand that third-party solutions running on SAP’s ABAP stack (used in platforms like NetWeaver, S/4HANA, or SAP RISE) are typically delivered as source code. This transparency should, in theory, make it straightforward to conduct security assessments, such as code audits or automated scans, to identify vulnerabilities before deployment.
However, our findings indicate that many SAP departments place undue trust in their vendors’ ability to deliver secure code. This trust persists despite the increasing prevalence of supply chain attacks across the IT industry, where malicious actors target third-party software to infiltrate larger systems. The failure to rigorously evaluate third-party solutions reflects a broader awareness gap within SAP-dependent organizations. Many assume that vendors, particularly those with established reputations, inherently prioritize security—an assumption that our research shows is dangerously misguided.
While accidental vulnerabilities stemming from poor coding practices are concerning, our researchers have uncovered an even more troubling issue: intentional backdoors embedded in some third-party solutions. Unlike vulnerabilities caused by oversight, backdoors are deliberately designed to bypass security controls, granting unauthorized access to systems. These hidden mechanisms are activated through covert triggers, making them invisible to the average user and difficult to detect without thorough analysis.
To date, our team has identified backdoors in three third-party SAP solutions. Each of these backdoors enables attackers to inject and execute ABAP code directly on a production system, bypassing SAP’s standard three-tier landscape (development, quality assurance, and production). In a typical SAP environment, code is written and tested in controlled environments before being deployed to production. This structured process ensures stability and security. However, these backdoors undermine this safeguard by allowing unauthorized code execution in the production environment, where sensitive data and critical business processes reside.
To fully grasp the severity of these backdoors, it’s worth exploring the capabilities of the ABAP programming language, which is central to SAP systems. ABAP provides unrestricted access to:
- Database content: Attackers can read, modify, or delete sensitive data stored in the SAP system, including financial records, customer information, and intellectual property.
- Operating system commands: ABAP’s ability to execute OS-level commands gives attackers the potential to control the underlying infrastructure, introducing malware or exfiltrating data.
When ABAP code is written on an SAP system, it is automatically compiled and executed by the server upon invocation. This immediacy amplifies the risk of backdoors, as malicious code can be deployed and executed without delay. For a deeper dive into ABAP’s capabilities and risks, refer to our dedicated blog post on ABAP risks.
The backdoors identified in our analysis operate in a consistent manner, using the SAP GUI user interface to provide hidden access to an ABAP editor. These backdoors are activated through specific “secret” commands, which are not disclosed to the organizations deploying the software. Examples include:
- Hard-coded commands, such as “&SAP_EDIT,” which, when entered, unlock the ABAP editor.
- Dynamic commands based on variables like the current date and time, making them harder to detect through casual testing.
These commands are intentionally obscured to evade detection by quality assurance (QA) teams. Without a comprehensive code audit or an advanced scanning tool like Relevan-C, these backdoors are likely to go unnoticed, leaving organizations vulnerable to exploitation by malicious insiders or external attackers with knowledge of the trigger mechanisms.
The discovery of both accidental vulnerabilities and intentional backdoors underscores a critical need for organizations to overhaul their evaluation processes for third-party SAP solutions. If companies struggle to identify unintentional vulnerabilities caused by poor coding practices, how can they hope to detect deliberately hidden backdoors? The answer lies in adopting rigorous security practices, including:
- Code audits: Manual reviews of source code by skilled security professionals can uncover both vulnerabilities and backdoors.
- Automated code scanning: Tools like Relevan-C can systematically analyze ABAP code for suspicious patterns and hidden mechanisms.
- Pre-deployment testing: Organizations must prioritize thorough testing of third-party applications in controlled environments before integrating them into production systems.
- Vendor accountability: Companies should demand transparency from vendors regarding their security practices and require proof of secure development processes.
The findings from our Relevan-C scanner paint a sobering picture of the risks lurking in third-party SAP solutions. From high-severity vulnerabilities to deliberately embedded backdoors, these issues threaten the security and stability of critical business systems. The combination of vendor oversight, organizational complacency, and the inherent power of the ABAP language creates a perfect storm for cyberattacks.
To mitigate these risks, organizations must prioritize security in their third-party software evaluations. By implementing robust testing protocols and leveraging advanced tools, companies can better protect their SAP environments from both accidental and intentional threats. Our ongoing research will continue to shed light on these issues, and we urge SAP-dependent organizations to take proactive steps to safeguard their systems. Stay tuned for further updates in this blog series as we continue to explore the evolving landscape of third-party solution risks.
This is the third article in our SAP Add-on series that provides you with insights into risks related to running third-party solutions as well as defensive strategies.
If you'd like to know more about SAP Add-on risks, please contact us. Understanding these risks helps in making informed decisions about which third-party solutions to adopt and how to manage them securely.