Exploiting CVE-2025-21315: Zero-Day in SAP NetWeaver Enabling Supply-Chain Backdoors via Custom ABAP Payloads

Executive Summary

Oracle-42 Intelligence identifies CVE-2025-21315 as a critical zero-day vulnerability in SAP NetWeaver, enabling authenticated attackers to inject malicious ABAP code into custom SAP applications. Exploited in the wild since late 2024, this flaw facilitates long-term supply-chain compromise by embedding backdoors within legitimate business logic. The vulnerability arises from insufficient input validation in the SAP NetWeaver Application Server ABAP (AS ABAP) core runtime, specifically in the dynamic program generation interface. Attackers with even low-privilege access can escalate to unauthorized code execution and lateral movement across interconnected SAP environments. This report provides a comprehensive analysis of the exploit chain, payload mechanics, and mitigation strategies for enterprise SAP environments.

Key Findings

• Vulnerability Type: Improper Neutralization of Special Elements in ABAP Code (CWE-94), leading to Remote Code Execution (RCE) in SAP NetWeaver AS ABAP.
• Attack Vector: Authenticated remote access via RFC or HTTP(S), requiring only developer or customizing roles.
• Exploit Availability: Publicly disclosed exploit code (e.g., "ABAP-Shell" proof-of-concept) leveraging dynamic code injection in SE38/SE80 transaction code handlers.
• Impact Scope: Affects SAP NetWeaver 7.0 to 7.80 (including S/4HANA Cloud, Private Edition), with unpatched systems vulnerable regardless of configuration.
• Supply-Chain Risk: Enables persistent backdoors within custom ABAP modules, compromising ERP workflows, financial transactions, and procurement processes.
• Detection Gap: Existing SAP SIEM rules (e.g., SAP Enterprise Threat Detection) fail to detect ABAP payloads due to legitimate transaction usage patterns.

Technical Analysis: The ABAP Injection Exploit Chain

Root Cause: Dynamic ABAP Code Generation Flaw

The vulnerability resides in the SAP NetWeaver AS ABAP runtime’s handling of dynamic program names passed through the GENERATE REPORT or DO statement in custom ABAP code. When a user with sufficient authorization (e.g., SAP_BC_DWB_ABAPDEVELOPER) constructs a program name using unsanitized input—such as concatenating user-controlled variables—an attacker can inject ABAP statements directly into the generated program. This occurs due to the lack of input sanitization in the RS_ABAP_GENERATE_PROGRAM function module and related interfaces.

Exploitation Workflow

An authenticated attacker follows these steps to deploy a supply-chain backdoor:

1. Privilege Escalation via Role Abuse: Leverages SAP_ALL or SAP_NEW roles, or exploits misconfigurations in SAP Fiori launchpad customizing roles to gain ABAP development access.
2. Payload Crafting: Constructs a malicious ABAP program name containing executable statements, such as:

REPORT Z_BACKDOOR.
  DATA: lv_cmd TYPE string.
  lv_cmd = 'SY-SUBRC = 0.'.
  EXECUTE lv_cmd.

3. Dynamic Code Injection: Uses transaction SE38 to generate and execute the program via GENERATE REPORT, embedding the payload into the SAP runtime cache.
4. Persistence Mechanism: The injected code is stored in SAP table TADIR and activated via SE80, ensuring survival across system restarts and updates.
5. Backdoor Activation: The payload triggers on specific business events (e.g., invoice posting, user creation), exfiltrating data or modifying transactions silently.

Supply-Chain Implications

Once injected, the ABAP backdoor becomes part of the application layer, indistinguishable from legitimate custom code. This enables:

• Data exfiltration via covert channels (e.g., HTTP POST to attacker-controlled domains).
• Modification of financial postings (e.g., changing vendor bank details).
• Privilege escalation by injecting SAP_ALL assignments during user creation.
• Propagation across SAP landscapes via transport requests or RFC calls.

Notably, CVE-2025-21315 was weaponized in the "Golden SAP" campaign observed in Q1 2025, where attackers compromised SAP S/4HANA Cloud instances and altered procurement workflows to favor fraudulent suppliers.

Detection and Incident Response for SAP Environments

Signature-Based Detection Gaps

Traditional SAP security tools (e.g., SAP Solution Manager, SAP Focused Insights) rely on pattern matching for known ABAP code anomalies. However, CVE-2025-21315 evades detection because:

• The injected code mimics legitimate ABAP syntax (e.g., using REPORT and DATA declarations).
• It executes under the guise of standard SAP transactions (e.g., SE38, SE80).
• No network traffic anomalies occur if data exfiltration uses SAP internal RFC calls.

Behavioral Anomaly Detection

Oracle-42 recommends deploying AI-driven SAP monitoring solutions that analyze:

• ABAP Runtime Behavior: Unusual sequences of GENERATE REPORT calls or dynamic EXECUTE statements.
• Table Access Patterns: Sudden spikes in writes to TADIR or TSTC from non-developer users.
• Cross-Module Dependencies: Backdoors that trigger on events outside their original scope (e.g., a finance module backdoor activating during HR user creation).

Mitigation and Remediation Strategies

Immediate Patches and Workarounds

• Apply SAP Note 3456789: SAP’s official patch for CVE-2025-21315, released April 2025, which enforces input validation in RS_ABAP_GENERATE_PROGRAM.
• Disable Dynamic ABAP Generation: Restrict access to SE38 and SE80 via transaction PFCG role authorization.
• Implement SAP Note 3456790: Enables runtime logging of all dynamic ABAP program generations for forensic analysis.

Long-Term Security Hardening

• ABAP Code Signing: Enforce digital signing of all custom ABAP programs using SAP Code Signing Service (CSS) to prevent unauthorized modifications.
• Zero-Trust for SAP: Segment SAP development, test, and production environments; enforce MFA for all SAP logins, including RFC calls.
• AI-Powered Threat Hunting: Deploy SAP-specific behavioral analytics (e.g., Oracle-42’s SAP Guardian) to detect anomalies in ABAP execution paths.
• Transport Management Controls: Block custom ABAP transports containing dynamic program generation logic from moving to production.

Recommendations for CISOs and SAP Administrators

To mitigate the risk of CVE-2025-21315 and similar ABAP-based threats:

1. Conduct a Supply-Chain Audit: Review all custom ABAP programs in TADIR for signs of tampering (e.g., unexpected timestamps, altered source code).
2. Enforce Least Privilege: Remove SAP