SAP system integrity and authentication risks

🔐 SAP Security Insight : Have you ever noticed a user accessing a transaction without having S_TCODE authorization? 🤯 Yes, it’s possible—and no, your SAP system isn’t broken. 💡 Here’s what’s going on: SAP allows transactions to indirectly call other transactions using the ABAP CALL TRANSACTION statement. A classic example: ME22N → MM03 Double-clicking on a material in ME22N can take a user straight to MM03—even if they don’t have explicit access to MM03. Now, you'd expect the system to check S_TCODE for MM03... but sometimes, it doesn’t. Why? 📌 That’s where SE97 and the TCDCOUPLES table come in: Using transaction SE97, you can control whether S_TCODE checks are performed for indirectly called transactions. YES → Authorization is checked NO → Authorization is skipped Blank → It depends on the system parameter auth/check/calltransaction If the value is blank, the system relies on the parameter value to decide whether to enforce the check. 🛡️ Bottom line: This behavior can result in authorization loopholes if not managed properly. Understand how indirect transaction calls work, and always validate SE97 settings. Read more here : https://lnkd.in/df7SUyEP Refer SAP OSS note 515130 and SAP note 358122. #SAPSecurity #SAPS4HANA #SAPAuthorization #SAPBasis #SE97 #

Privileged User IDs in SAP — A Must-Audit Area! 🛡️ As IT Auditors, one of our key checkpoints in SAP security assessments is identifying and reviewing Privileged User IDs — accounts that have elevated access capable of bypassing standard control mechanisms. 📌 High-Risk Profiles to Look For in SUIM Reports: • SAP_ALL • SAP_NEW • SAP* • S_A.SYSTEM • S_A.ADMIN • S_A.CUSTOMIZ • S_A.DEVELOP • S_A.USER • S_A.USER_ALL • S_RFCACL • S_ABAP_ALL These profiles provide broad and critical access to system configuration, user management, RFC communication, and development/customization — making them prime targets for misuse if not properly controlled. 🔍 IT Audit Checklist: ✅ Access Review via SUIM Run user profile reports to identify who has these profiles assigned. ✅ Approval Evidence Ensure elevated access is backed by documented approval and justified by business need. ✅ Monitoring & Logging Use tools like SM20 and STAD to log privileged user activities. ✅ Emergency Access Management Leverage SAP GRC Firefighter for temporary access with automated logs and review workflows. ✅ SoD & Recertification Check for SoD violations and include these IDs in periodic User Access Reviews (UARs). ⚠️ Red Flag: Default accounts like SAP* and DDIC with default or weak passwords can be exploited — ensure they are secured or locked. 🎯 Bottom Line: Privileged access is necessary, but unchecked power = unchecked risk. As auditors, it’s our duty to ensure these IDs are properly governed, monitored, and reviewed. #SAPAudit #PrivilegedAccess #SUIM #GRC #InternalAudit #SAP_ALL #ITSecurity #AccessControl #SOX #SAPGRC

SAP security has long been disconnected from enterprise security operations. While IT security teams focus on firewalls, SIEMs, and endpoint protection, SAP landscapes operate in isolation, often without real-time monitoring, automated risk assessments, or continuous threat detection. This gap creates significant blind spots that attackers exploit. SecurityBridge changes this by bringing SAP security into the IT security ecosystem. The first challenge is visibility. Traditional security tools struggle to interpret SAP logs, making it nearly impossible for security teams to detect unauthorized activity, privilege escalations, or malicious RFC calls in real-time. SecurityBridge deploys a native SAP intrusion detection system that processes raw log data, aggregates it across ABAP, Java, BTP, and HANA, and generates actionable security alerts that integrate directly into existing SIEM solutions. The second challenge is continuous security auditing. Manual SAP security assessments are slow, fragmented, and dependent on external consultants.  SecurityBridge automates this process, allowing organizations to validate their SAP security posture against predefined baselines—including hardening guides, patch status, and custom code vulnerabilities.  The platform provides guided security roadmaps, helping organizations move from reactive to proactive risk reduction. The third challenge is patching and vulnerability management. SAP’s monthly patch day releases security notes, but organizations often struggle to apply patches in a timely manner due to operational constraints.  SecurityBridge automates patch triaging, linking vulnerabilities directly to affected systems, prioritizing based on severity, and providing virtual patching when immediate updates aren’t feasible. The fourth challenge is custom code security. Standard SAP security focuses on system configurations, but custom ABAP development introduces hidden risks.  SecurityBridge scans source code in real-time, detecting misused authority checks, insecure API calls, and hardcoded credentials.  Developers receive immediate feedback, ensuring that security is embedded into DevSecOps workflows from day one. All of these capabilities are integrated into a centralized security dashboard—providing real-time insights, KPI tracking, and a single source of truth for SAP security posture.

Continuing from my last post on breaking silo's in the SAP cybersecurity , IAM, GRC and resilience space, here is a part 1 on a sneak peek on the specific examples in the Identity & Access Management space : 🔐 Why Identity & Access Management (IAM) in SAP Isn’t Just a Technical Task—It’s the Bedrock of Digital Trust : In my journey leading security and compliance across SAP S/4HANA landscapes, one thing has become clear: 👉 Most technology and compliance risks in SAP start with IAM. Whether it's a segregation of duties (SoD) violation triggering a SOX audit concern, or an over-provisioned role exposing critical finance functions to cyber threats—weak IAM controls are often the root cause. 💥 Two examples I’ve seen in practice: 1️⃣ A leaver’s SAP account remained active for 90+ days—assigned with elevated access to finance master data. This became a red flag during SOX testing, requiring remediation and auditor escalations. ✅ Solution: Automating JML (Joiner-Mover-Leaver) processes and tying HR triggers directly to SAP IAM through workflows or identity governance tools like alleviate most of the joiners and leavers controls, however as we all know, Movers is a tricky one :-) 2️⃣ A user was granted both vendor creation and payment approval access during a project cutover—creating a SoD risk. This wasn’t flagged in real time, and the GRC team caught it only during quarterly reviews. ✅ Solution: Implement real-time SoD simulations during role assignment and integrate access provisioning with embedded GRC rulesets. 📊 Studies show that over 75% of SAP audit findings trace back to IAM-related gaps—ghost accounts, excessive privileges, missing ownership. But here's the flip side ➡️ Strong IAM uplifts everything. Better IAM = more accurate control testing = stronger GRC posture Better IAM = least-privilege by design = reduced attack surface Better IAM = faster recovery and response = enhanced resilience IAM is not just about "who has access." It’s about enabling secure operations, ensuring regulatory confidence, and supporting business continuity at scale. ✅ In SAP ecosystems, especially during S/4HANA transformation or cloud adoption, prioritising IAM can deliver compounding benefits across cybersecurity, compliance, and digital resilience. Would love to hear how others are elevating IAM in their ERP environments. What’s working—and what’s still a challenge? A bit about me...continued : Year is 2009 and I start to dabble in the world of ICFR, GRC rule sets, helping clients understand the nuances of access control and aligning that to operational processes. After spending two fabulous years in Philips back then in Bangalore and learning a lot from a 50 member strong team of SAP Basis, Security and ABAP experts from companies like Capgemini, ATOS, CIBER, Accenture, Satyam ( Yes it existed ) I made some life long friends. rest in next! #SAPSecurity #IAM #GRC #CyberResilience #SOXCompliance #SAP #CybersecurityLeadership #DigitalTrust

⚠️ 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗦𝗔𝗣 𝗦/𝟰𝗛𝗔𝗡𝗔 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗨𝗻𝗱𝗲𝗿 𝗔𝗰𝘁𝗶𝘃𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻 A severe flaw (𝗖𝗩𝗘-𝟮𝟬𝟮𝟱-𝟰𝟮𝟵𝟱𝟳) 𝘄𝗶𝘁𝗵 𝗮 𝗖𝗩𝗦𝗦 𝘀𝗰𝗼𝗿𝗲 𝗼𝗳 𝟵.𝟵 is being actively exploited in 𝗦𝗔𝗣 𝗦/𝟰𝗛𝗔𝗡𝗔 🔍 𝗪𝗵𝗮𝘁’𝘀 𝗵𝗮𝗽𝗽𝗲𝗻𝗶𝗻𝗴?  • Command Injection vulnerability in an RFC-exposed function module (requires S_DMIS authorization).  • Attackers can gain full system control: • Alter databases • Create superuser accounts • Steal password hashes  • No user interaction required.  • Exploitable even from low-privileged accounts. ⚠️ 𝗪𝗵𝘆 𝗶𝘁’𝘀 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹:  • All SAP S/4HANA releases (Private Cloud & On-Premise) are affected.  • Attack complexity is low → any basic user account with the vulnerable authorization can be leveraged.  • Consequences include: • Fraud & Data Theft • Espionage • Ransomware installation • Complete breakdown of CIA (Confidentiality, Integrity, Availability). 🛡️ 𝗪𝗵𝗮𝘁 𝘁𝗼 𝗱𝗼:  • Apply SAP security patches immediately.  • Review and restrict user privileges, especially S_DMIS.  • Monitor RFC modules for unusual activity. - #SAP #Vulnerability #CVE2025 #Exploit #CyberSecurity #DeXpose

⚠️Critical SAP S/4HANA Vulnerability Exploited in the Wild (CVE-2025-42957) Our friends at SecurityBridge have confirmed exploitation of an ABAP code injection vulnerability in SAP S/4HANA (CVSS 9.9) All versions. According to the full blog post (link in comments), here are the main issues: Exploitation requires only a low-privileged SAP user Impacts all S/4HANA releases (Private Cloud & On-Premise) Successful attack = full system compromise (OS access, database tampering, SAP_ALL creation, password hash theft, ransomware deployment, fraud, espionage…) SecurityBridge has also verified attacks already occurring in the wild 🤯 Immediate action required: Apply SAP’s August 2025 patches (Notes 3627998 & 3633838) Restrict RFC usage (UCON) and review access to S_DMIS (activity 02) Monitor logs for suspicious RFC calls, new admin users, or ABAP changes Harden defenses: segmentation, backups, SAP-specific monitoring As a SecurityBridge partner, our customers are already protected with the August patch in place. At Aliter Consulting Ltd. we help organisations install and configure SecurityBridge or provide SAP Security-as-a-Service to ensure vulnerabilities like this are remediated quickly and visibility is maintained across your SAP landscape. If you run SAP S/4HANA and haven’t patched yet, act immediately. Run Better. Run Secure.

𝟵𝟵% 𝗼𝗳 𝗦𝗔𝗣 𝘀𝘆𝘀𝘁𝗲𝗺𝘀 𝗵𝗮𝘃𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗔𝘂𝗱𝗶𝘁 𝗟𝗼𝗴𝗴𝗶𝗻𝗴 𝗲𝗻𝗮𝗯𝗹𝗲𝗱… 𝗕𝘂𝘁 𝗮𝗹𝗺𝗼𝘀𝘁 𝗡𝗢𝗡𝗘 𝗵𝗮𝘃𝗲 𝗶𝗻𝘁𝗲𝗴𝗿𝗶𝘁𝘆 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗮𝗰𝘁𝗶𝘃𝗮𝘁𝗲𝗱. Which means something nobody wants to admit: 👉 Your audit logs can still be edited, deleted, or manipulated 👉 And SAP won’t detect it unless HMAC integrity protection is enabled 👉 Most teams believe “SM19/SM20 = secure” — but in S/4HANA, that’s outdated Over the past few weeks, I’ve been deep-diving into how SAP’s modern Security Audit Log (SAL) really works in S/4HANA — and why HMAC-based protection is mandatory for any SOX, ISO, or GDPR-compliant landscape. So I created a 12-page practical guide that explains: 🔹 Why SAL integrity protection matters 🔹 What HMAC actually does in SAP 🔹 How the SAL architecture changed in S/4HANA 🔹 Step-by-step: How to enable HMAC integrity 🔹 A full audit-ready checklist you can use immediately 🔹 Common mistakes Basis & GRC teams don’t know they’re making This is one of the most under-discussed areas in SAP security — but one of the most important. 📄 If you want the full 12-page PDF guide, comment “𝗦𝗔𝗟” and my team will share it to you. (Also posting a carousel below summarizing the highlights 👇) #SAPSecurity #SAPBasis #SAPGRC #SAPS4HANA #CyberSecurity #Audit #Compliance