Anthropic recently unveiled Claude Mythos Preview - an AI they describe as “strikingly capable at computer security tasks.” More concerning, they note that “over 99% of the vulnerabilities we’ve discovered have yet to be patched.”
This blog post explores the potential impact of a malicious AI with similar capabilities on an SAP landscape.
While our insights and ideas are backed by over two decades of experience in SAP architecture and cybersecurity - along with an analysis of more than 100 third-party solution providers and numerous penetration tests - many thoughts and aspects in this blog post are speculative. Don't take them as facts. We unfortunately don’t have access to Claude Mythos Preview, so we cannot analyze SAP technologies with it directly. That said, let's go!
In a detailed article, Anthropic experts explain the types of vulnerabilities they were able to identify, along with their methodology.
They tested both open-source and closed-source software (the latter via reverse engineering) with Claude Mythos Preview, successfully identifying a variety of vulnerabilities. These included issues like integer overflows, out-of-bounds access (specific to C/C++ code), JIT heap exploits in web browsers, flaws in cryptographic algorithms, authentication bypasses, remote denial-of-service attacks, and firmware vulnerabilities in smartphones. There were so many vulnerabilities that they couldn't verify all of them through human analysis, and vendors have not yet patched many of the issues. Notably, Anthropic submitted 112 confirmed security issues in Firefox alone.
Pretty impressive.
What sets this analysis apart from traditional automated security scans is the approach Claude Mythos Preview takes. After detecting a potential vulnerability, it tries to exploit it—even if the software or platform has several defense mechanisms in place. A human researcher might assume an exploit is unlikely due to those defenses. Moreover, creating such exploits manually would be time-consuming and challenging, which is why many researchers might not pursue them. However, AI excels in generating exploits that would be prohibitively complex for humans. According to Anthropic’s article, Claude Mythos Preview combined several independent minor issues into a sophisticated working exploit, testing and refining it over many hours. This is a remarkable display of puzzle-solving at an advanced level.
But this is only part of the story. Analysis with Claude Mythos Preview is expensive. They mention it cost around $20,000 to detect a specific issue in OpenBSD they discussed in the article. It’s unclear whether AI-based testing is actually more cost-effective than human testing. However, if an interested party has the necessary resources and needs to find vulnerabilities quickly, AI-based testing certainly becomes an attractive option.
From an economic perspective, customers running SAP are attractive targets. Spending $20,000 to identify a flaw that can remotely shut down a server might seem like a hefty cost for an open-source project. However, taking down a production SAP system can quickly lead to losses in the six or seven figures, making it a worthwhile investment for certain parties—whether for launching an attack or preventing one.
From a technical perspective (which is the focus of this article), let’s first take a look at SAP's core solutions. Their application servers with an ABAP stack are made up of a C/C++ core, the ABAP basis, and ABAP business suites (which amount to 150+ million lines of ABAP code in a classic SAP installation). The SAP GUI client is available as both a Windows binary (C/C++ code) and a Java version. SAP’s HANA database is also written in C/C++, and SAP has also released its own J2EE engine, as well as other Java solutions. Claude Mythos Preview could most probably analyze all of these solutions and languages.
Is it difficult to access SAP's software for analysis? Not at all. All you need is an SAP license to access the binaries and ABAP source code—or access to a willing SAP customer. Legal aspects set aside - but attackers wouldn't care anyway. Although SAP has removed their classic ABAP documentation from their websites, it's still easy to train an AI on the ABAP language. Anyone with access to an SAP Application Server ABAP can export the ABAP documentation from the ABAP workbench into HTML files, which, combined with access to SAP's standard ABAP applications, provides an excellent training set for AI.
Testing SAP's cloud solutions - like SuccessFactors, Ariba, or Fieldglass - is a different story. But these are not the typical places where companies keep their crown jewels.
Anthropic has pointed out that AI agents can analyze C/C++ based binaries via reverse engineering. At CAIBERP, we tested Claude Code in our lab for its capabilities to analyze disassembed binaries and can confirm that the results are promising. For Java, the process is even easier, thanks to the availability of high-quality decompilers. SAP's ABAP code, however, is much easier to analyze since it’s always shipped as source code. There are several proven solutions on the market that can analyze ABAP and Java source code. These usually focus on pattern, control- and data-flow matching techniques to identify issues like command injections, missing authorization checks and hard-coded passwords. And they are pretty good at it. However, a capable AI like Claude Mythos Preview could go much further, identifying logical flaws, such as incorrect authorization checks, bypasses to the intended order of execution in a business workflow or fraudulent code. In other words, while existing scanners can already identify cyber security risks in ABAP, AI could additionally detect misuse potential with a focus on fraud. With regards to analyzing closed-source SAP solutions, this is certainly a blind spot for SAP customers as there are no tools on the market to support this. And SAP customers would certainly expect SAP to take care of the security aspects in those solutions. Summarizing this, we believe an AI agent like Claude Mythos Preview would be technically capable of scanning all of SAP's on-premise solutions and technology stacks and producing new vulnerabilities.
Looking at SAP's patch history over the past seven years, it’s clear that external researchers are constantly discovering new vulnerabilities. On average, SAP releases 15 security notes per month.
From our own experience, practically every SAP mechanism we (and other researchers) have examined has turned out to be vulnerable:
- Buffer overflows in SAP’s web servers
- Cross-Site Scripting (XSS) and directory traversal in web applications and servers
- Buffer overflows in kernel functions called by ABAP
- Backdoors in kernel functions used by ABAP
- Backdoors and command injections in ABAP applications
- Access to client resources via SAP GUI
- Access to SAP backends from web applications through SAP GUI shortcuts
- Critical services set active by default
- Security issues in the distribution of SAP patches
- Issues with the integrity of the security audit log
- Design flaws in the RFC protocol
- Buffer overflows in the RFC protocol
This is not an exhaustive list.
It’s highly likely that more vulnerabilities lie dormant within the vast codebase of SAP, especially in closed-source solutions and undocumented APIs such as the kernel functions. In ECC 6.0, there were over 370 kernel functions, most of which are undocumented. A reverse engineering analysis of the SAP kernel could uncover many interesting (and potentially dangerous) functions. The same is probably true for reverse engineering analysis of SAP clients, proxy solutions as well as the RFC protocol used for server-to-server communication.
However, even if there were no further vulnerabilities in SAP code (a purely theoretical thought), Claude Mythos Preview could still create exploits for all of the existing SAP patches. Since most companies take days, weeks and even months or years to install security patches, even such n-day exploits would be very valuable to attackers.
If an AI with the capabilities of Claude Mythos Preview were used to find and exploit issues in closed-source SAP solutions, it could have drastic consequences for SAP customers. SAP forms a “shadow network” within a company's IT landscape—an ecosystem of proprietary solutions distributed across the organization’s servers, clients, and proxies, exchanging data through proprietary protocols. Compromising such a network could give an attacker control over a vast array of systems running SAP software. Given SAP’s complex topology, there are numerous potential attack vectors for gaining unauthorized privileges on a vast variety of systems. An attack potential like this is definitely worth a lot of money to interested parties, such as nation state attackers.
For instance, if Claude Mythos Preview found new ways to inject (ABAP) code into an SAP landscape, these exploits could provide significant access potential to the OS across multiple systems. Additionally, if it uncovered vulnerabilities in SAP's C/C++ code (whether in servers, clients, proxies or communication channels), the attack potential of ABAP exploits could be drastically enhanced, potentially leading to highly privileged access to IT systems hosting SAP solutions or tunneling sensitive data to remote locations. Such an exploit could be especially critical in the case of SAP’s public and private cloud solutions. A single exploited system at a given SAP customer could be used to attack other customers as well. Because SAP needs network access to all servers it is hosting (for maintenance reasons), an advanced malware could potentially spread from one infected installation via SAP's infrastructure to another installation, creating a widespread threat to systems far beyond the intitial victim company. While this is speculative, it's still not entirely unlikely.
Anthropic has already launched Project Glasswing, a collaboration with major U.S. companies to “secure the world’s most critical software.” However, it seems SAP is not (yet) part of that initiative.
Although Anthropic will not release Claude Mythos Preview to the public, they recommend intensifying AI-based testing for vulnerabilities. They also note that solutions like Claude Code are capable of detecting security issues, too. There are certainly other companies with AI agents possessing similar testing and exploiting capabilities. Unfortunately, not all of them may use their insights to make the world safer. It is therefore a good idea for companies that run custom and third-party code to use existing scanning capabilities - classic static code analysis or AI - to at least spot and eliminate critical issues in the code they have access to. An advantage of static code analysis over AI analysis is that companies do not have to expose their code to third parties (AI providers).
Exposing its code to AI providers for analysis would also be an obvious downside for SAP - apart from the heavy cost involved. While it's uncertain whether SAP would take this route, if they did, it could probably make for a particularly eventful patch day...
