SAP Landscape Transformation Arbitrary Code Injection Vulnerability via RFC

A vulnerability in SAP Landscape Transformation (SLT) allows users with certain privileges to inject arbitrary ABAP code into the system through a function module exposed via RFC. This exploitation bypasses critical authorization checks, effectively creating a backdoor that could lead to a complete system compromise, jeopardizing the system's confidentiality, integrity, and availability.

Impact

Exploitation of this vulnerability could result in a full system compromise, allowing unauthorized access and control over the affected system.

Remediation

Users are advised to review and implement the SAP Security Note related to this vulnerability. This can be done through the SAP for Me platform, specifically in the Security Notes section. Regular SAP Security Patch Days are scheduled for the second Tuesday of each month, where critical security updates are released.