SAP S/4HANA ABAP Code Injection Vulnerability via RFC

A vulnerability in SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to inject arbitrary ABAP code or operating system commands into the system, bypassing critical authorization checks. This vulnerability, present in a function module exposed through Remote Function Call (RFC), effectively acts as a backdoor, posing a risk of complete system compromise and undermining the system's confidentiality, integrity, and availability.

Impact

Exploitation of this vulnerability could lead to a full system compromise, allowing unauthorized access and control over the system, with potential exploitation of the underlying operating system.

Remediation

Users are advised to consult the SAP Security Notes for guidance on applying patches and addressing this vulnerability. This vulnerability will be addressed in the next SAP Security Patch Day, scheduled for November 10, 2026.