SAP patch day exposes RFC code injection risk across core systems

At a glance

What this is: SAP’s latest Patch Day fixes multiple critical RFC-facing vulnerabilities, including three CVSS 9.9 code injection issues that can enable remote ABAP execution and full system takeover.

Why it matters: For IAM and SAP security teams, the issue is not just patching but controlling who can reach RFC-exposed functions, because over-broad access can turn low privilege into administrative impact.

By the numbers:

• SAP has released 15 new Security Notes as part of the August 12, 2025 Patch Day, along with 4 updates to previously released notes.

👉 Read Pathlock’s August 2025 SAP Patch Day analysis

Context

SAP’s August Patch Day shows how quickly an RFC trust issue can become a platform-wide identity and access problem. When low-privilege users can reach function modules that were never meant to accept arbitrary input, the control failure is not just code quality, it is over-permissioned execution paths inside a business-critical identity perimeter.

For SAP estates, this is a governance problem as much as a vulnerability-management problem. Teams that treat RFC exposure, transformation layers, and administrative service access as separate technical concerns will miss the shared issue: attackable entry points often sit inside trusted business workflows, where access review and segmentation are usually weaker than operators assume.

Key questions

Q: What breaks when RFC-exposed SAP function modules are not tightly controlled?

A: Low-privilege input can be converted into trusted execution, which means an attacker may move from a normal user path to arbitrary ABAP code execution. In SAP environments, that can lead to privilege escalation, data exposure, and system-wide compromise because the function module is acting as an execution boundary rather than a simple interface.

Q: Why do SAP transformation and analytics components create higher risk than standard application endpoints?

A: They sit close to data movement and system orchestration, so a flaw there can reach privileged business logic quickly. When these components accept attacker-controlled input through RFC or related interfaces, the attacker may influence execution context, not just data fields, which increases blast radius beyond the original component.

Q: What do security teams get wrong about SAP patching?

A: They often treat patching as the whole answer and miss exposure inventory, entitlement scope, and service authorization. A patched system can still be risky if RFC paths remain reachable, custom code still trusts them, or administrative service APIs still allow excessive privilege.

Q: Who is accountable when a broken SAP administrative check exposes privileged functions?

A: The accountable teams are both SAP platform owners and identity governance owners, because the failure sits at the intersection of application authorization, service principal control, and access review. Frameworks such as the NIST Cybersecurity Framework and SAP authorization governance both require these access paths to be limited, monitored, and recertified.

Technical breakdown

RFC-exposed function modules create a trusted execution path

Remote Function Call, or RFC, is SAP’s mechanism for invoking functions across systems and components. That makes it powerful, but also dangerous when exposed modules accept attacker-controlled input without tight authorization and validation. In this patch cycle, the critical flaws sit in transformation and analytics layers where RFC input can be converted into executable ABAP logic. Once that happens, the attacker is no longer abusing a simple interface. They are using a trusted execution path to change system behaviour from the inside.

Practical implication: Restrict RFC reachability and validate authorization on every exposed function module before input reaches execution logic.

Code injection in ABAP turns low privilege into high-impact execution

ABAP is SAP’s application language, and injection here means attacker-controlled data is interpreted as code rather than content. That is the difference between a bad request and remote execution. The most severe notes in this patch set show that low-privilege users can pivot into arbitrary ABAP execution through weaknesses in Landscape Transformation and S/4HANA analytics. In practice, the exploit chain is simple: reach the RFC endpoint, pass malicious input, and inherit the application’s execution context.

Practical implication: Treat any RFC path that can influence ABAP flow as a privileged execution surface, not a standard input channel.

Authorization failures in SAP services expand blast radius beyond the original flaw

Not every issue in this release is remote code execution. The Business One SLD flaw shows a different but related pattern: broken authorization lets normal users invoke administrative APIs and escalate privileges. Other notes involve XSS, token logging, and file-path abuse, all of which can expose session state or sensitive data once the attacker is inside the trusted SAP interface layer. The pattern is consistent: once identity checks or service boundaries fail, the blast radius moves quickly from one component to the wider ERP environment.

Practical implication: Review service-specific authorization, not just patch status, because one weak administrative API can expose the whole SAP control plane.

Threat narrative

Attacker objective: The attacker wants to move from low-privilege access into trusted SAP execution so they can control business-critical systems and access sensitive data.

1. Entry occurs through RFC-exposed function modules in SAP transformation and analytics components, where attacker-controlled input reaches trusted business logic.
2. Escalation follows when malformed input is interpreted as ABAP code or when broken authorization lets a normal user invoke administrative APIs.
3. Impact is full system compromise, including remote code execution, privilege escalation, data exposure, and potential disruption of SAP availability.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

RFC exposure is now an identity boundary, not just an application interface. These SAP notes show that the real control surface is not the patch number alone but who can reach trusted function modules, with what privilege, and through which path. When RFC endpoints can transform low-privilege input into code execution, the access model has already failed before the exploit runs. Practitioners should treat RFC reachability as part of identity governance, not as a separate network concern.

Service authorization failures in ERP environments create an identity blast radius that security teams often underestimate. The Business One SLD issue demonstrates how a single broken administrative check can expose credentials and elevate ordinary users into privileged operators. That is not a narrow defect. It is a reminder that ERP service accounts, admin APIs, and backend operations need the same lifecycle and access scrutiny as any other high-value identity. Practitioners should re-evaluate administrative trust inside SAP service layers.

Code injection in transformation layers shows that business integration points are also privilege escalation points. Landscape Transformation and analytics components are often treated as plumbing, yet they sit close to the core of data movement and system orchestration. Once those paths accept attacker-controlled instructions, the difference between integration and execution disappears. The implication is clear: transformation endpoints must be governed as privileged control points, with tighter entitlement review and segment-level exposure limits.

SAP patch cycles are only effective when paired with exposure inventory and access review discipline. The presence of three CVSS 9.9 issues in one release signals structural risk in how enterprise platforms expose rich administrative functions. Patching closes a known defect, but it does not answer which interfaces are still reachable, which custom code still trusts them, or which users can still hit them. Practitioners should connect vulnerability management to entitlement control and service boundary mapping.

Code injection via RFC illustrates the named concept of trust-to-execution collapse. In these vulnerabilities, a trusted business interface stops behaving like a request channel and becomes an execution surface because the system assumes input will remain non-executable. That assumption fails when attacker-controlled payloads are interpreted as ABAP under the application’s own privilege. The implication is that RFC governance must be designed around execution risk, not interface convenience.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a broader breach pattern view, read 52 NHI Breaches Analysis to see how over-privilege and exposed credentials translate into repeat incidents.

What this signals

SAP patch urgency is only half the story. The more lasting programme change is to treat RFC exposure, service APIs, and transformation endpoints as governed identity surfaces, then tie them to entitlement review and segmentation before the next patch cycle arrives.

Privilege-to-execution collapse: This pattern describes environments where a trusted interface turns ordinary access into code execution because input validation and authorization are too weak. For SAP teams, that means mapping the smallest set of users and services that can reach high-risk modules, then reducing exposure before attackers do.

With two-thirds of enterprises already reporting successful attacks tied to compromised non-human identities, the broader lesson is that exposed service paths are not theoretical risk. SAP owners should use this moment to align platform patching with the access discipline described in 52 NHI Breaches Analysis and with the control expectations in the OWASP Non-Human Identity Top 10.

For practitioners

• Inventory every RFC-exposed function module Map which RFC endpoints are reachable from internal networks, partner links, and custom integrations. Then classify them by business criticality and execution risk so you can remove unnecessary exposure before patching windows close.
• Tighten administrative authorization on SAP service APIs Review SLD, ICF, and other service-layer permissions so normal users cannot invoke admin operations. Validate that only the intended service principal, such as B1SiteUser where applicable, can perform privileged actions.
• Treat transformation and analytics layers as privileged execution surfaces Apply emergency patching and exposure reduction to S/4HANA transformation paths, SLT, and analytics endpoints. These components sit close to code execution, so delay increases the chance that a low-privilege request becomes a full compromise.
• Use SACF rules to constrain risky RFC paths Review SAP Authorization Concept Framework policies for RFCs and align them with real business usage. Remove broad access where business functions do not require it, and log exceptions so they can be recertified.
• Monitor for exploit signals in SAP logs and browser flows Watch for SQL Console abuse, ICF anomalies, reflected XSS behaviour, and unexpected token logging. Pair that monitoring with segmentation around critical SAP services so a single abused interface cannot expand to system-wide impact.

Key takeaways

• SAP’s August Patch Day exposes a recurring failure mode where trusted RFC paths can become execution surfaces if authorization and input handling are weak.
• The release includes three CVSS 9.9 issues, showing that a single exposed interface can create full-system compromise, data breach, and privilege escalation risk.
• Patching matters, but exposure inventory, service authorization, and segmentation are what prevent low privilege from becoming high-impact execution.

Key terms

• RFC-exposed function module: An RFC-exposed function module is a remotely callable SAP routine that can be reached from another system or service. In identity terms, it is a high-value execution boundary because access to the module can become access to trusted business logic if authorization and input validation are weak.
• Code injection: Code injection occurs when attacker-controlled input is interpreted as executable instructions instead of data. In SAP environments, that can mean ABAP is executed with application privileges, turning a normal request into a compromise path that affects confidentiality, integrity, and availability.
• Security Note: A Security Note is SAP’s formal advisory for a product flaw and the correction steps needed to address it. For practitioners, the note is only useful when tied to exposure inventory, because a patch does not remove risk if the affected service remains reachable or over-permissioned.
• Service authorization: Service authorization is the control that determines which users or principals can call privileged application functions. In SAP, weak service authorization can let ordinary users invoke administrative APIs, which is why entitlement scope matters as much as vulnerability remediation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock: SAP August 2025 Patch Day security notes and mitigation guidance. Read the original.