SAP Security Note 3747787 addresses the Mini Shai-Hulud malware campaign targeting SAP-related npm packages used in SAP cloud development. The incident involved malicious versions of packages associated with SAP CAP and MTA development tooling, including mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service. The compromised packages used a malicious preinstall script that executed during npm installation, downloaded the Bun runtime, and launched an obfuscated credential-stealing payload.

The malware was designed to steal developer, GitHub, npm, cloud, CI/CD, and service account credentials from developer workstations and build environments. It also attempted to propagate by using stolen tokens to publish itself to other npm packages and created GitHub repositories in victim accounts as part of the exfiltration process. The payload also added persistence mechanisms through IDE and AI coding tool configuration files, including VS Code and Claude Code hooks, which could re-trigger execution when a compromised repository was opened.

SAP Security Note 3747787 should be treated as an urgent supply-chain security advisory for organizations using SAP CAP, SAP BTP development pipelines, MTA build tooling, or npm-based SAP development workflows. The key risk is not limited to the affected packages themselves; any system that installed the malicious versions may have exposed credentials, source code access, deployment permissions, and CI/CD secrets. Removing or downgrading the package alone may not be sufficient if persistence files or stolen credentials remain in use.

Recommended actions include identifying whether the affected package versions were installed in developer machines, CI/CD runners, build agents, containers, artifact repositories, or lockfiles; removing or replacing compromised versions with clean releases; searching for indicators of compromise such as suspicious GitHub repositories, unexpected commits, modified workflow files, and IDE configuration changes; and rotating all credentials that may have been exposed. Affected systems should be treated as potentially compromised, especially where privileged npm, GitHub, cloud, or deployment credentials were present.

In summary, SAP Security Note 3747787 responds to a targeted npm supply-chain attack against the SAP development ecosystem. The note is important because the attack affected trusted development packages, executed automatically during installation, targeted high-value developer and CI/CD credentials, and created a risk of further propagation across repositories and package ecosystems.

SAP Security Note 3724838 patches a Hot News SQL injection vulnerability in SAP S/4HANA, specifically SAP Enterprise Search for ABAP. The vulnerability is tracked as CVE-2026-34260 and affects SAP_BASIS releases 7.51 through 7.58 and SAP_BASIS 8.16.

The vulnerability occurs because user-controlled input in an affected parameter is passed to the underlying database without proper validation or sanitization. As a result, an authenticated attacker could inject malicious SQL statements into database queries generated by the application. Successful exploitation may allow unauthorized access to sensitive database information and could potentially cause the application to crash.

The vulnerability has a high impact on confidentiality and availability. Sensitive data may be exposed through unauthorized database access, and application stability may be affected if malicious SQL causes service disruption. Integrity is not impacted, meaning the vulnerability is not expected to allow unauthorized modification of data.

The correction in the note validates user input before it is passed to the database, preventing malicious SQL from being executed.

SAP Security Note 3733064 addresses a missing authentication check vulnerability in SAP Commerce Cloud configuration, tracked as CVE-2026-34263. The issue is caused by an improper Spring Security configuration with overly permissive access rules and incorrect rule ordering, which may allow unauthenticated access to sensitive configuration upload functionality.

The vulnerability could allow an unauthenticated attacker to upload a malicious configuration and inject code. When the malicious input is later processed by a legitimate user, it may result in arbitrary server-side code execution. This creates a serious risk to the affected SAP Commerce Cloud application because successful exploitation can compromise confidentiality, integrity, and availability.

The main risk is that an attacker may be able to execute unauthorized code on the server without first authenticating to the application. This could lead to unauthorized access to sensitive data, manipulation of application behavior or configuration, and disruption of system availability. The vulnerability is especially critical because it affects sensitive administrative functionality related to Backoffice configuration upload.

SAP has addressed the vulnerability by disabling configuration upload functionality by default, preventing unauthenticated access to the affected endpoint and reducing the risk of malicious configuration-based code execution. Organizations should apply the relevant SAP Commerce Cloud patch release as soon as possible.

The fix is available in the following releases: SAP Commerce Cloud 2205.49, 2211.51, and 2211-jdk21.10. Organizations should also review FAQ document 3746113 for detailed guidance on the vulnerability and required remediation actions.

SAP Security Note 3732471 fixes a high-risk OS command injection vulnerability in SAP Forecasting & Replenishment, tracked as CVE-2026-34259. The vulnerability could allow an authenticated attacker with administrative authorizations to abuse a non-remote-enabled function to execute arbitrary operating system commands.

The issue is caused by insufficient control over operating system commands executed through function module input parameters, including input sourced from an upstream component. Successful exploitation could allow the attacker to read, modify, or delete system data, execute unauthorized commands at the operating system level, or shut down the system.

This vulnerability has a severe impact because it can lead to complete compromise of confidentiality, integrity, and availability. An attacker with the required access could potentially gain control over the affected system environment, alter business-critical data, disrupt application operations, or use the compromised host as a foothold for further attacks.

SAP has corrected the issue by adding authorization checks and screening operating system commands before execution. Organizations using SAP Forecasting & Replenishment should implement the relevant Correction Instructions or Support Packages referenced in SAP Security Note 3732471 as soon as possible to reduce the risk of OS command execution and full system compromise.

The post SAP Security Notes, May 2026 appeared first on Layer Seven Security.

The NPM ecosystem is the collection of tools, packages, and services for npm, the default package manager for Node.js. At the center of the ecosystem is the npm registry, a public repository of reusable JavaScript and TypeScript packages. Developers use npm to install libraries, frameworks, command-line tools, build utilities, and application dependencies.  

Node.js is a runtime environment for JavaScript and widely used in SAP applications for cloud-native SAP extensions, integrations, APIs, and user-facing applications. It is especially common in SAP Business Technology Platform (BTP) developments. The SAP Cloud Application Programming Model (CAP) supports Node.js. Developers use Node.js to build service layers, business logic, REST/OData APIs, and extensions for SAP applications. Node.js is also often used to build side-by-side extensions for SAP S/4HANA, SAP SuccessFactors, SAP Ariba, SAP Fieldglass, and other SAP solutions on SAP BTP. Node.js applications can call SAP APIs, consume OData services, connect to SAP Integration Suite, and exchange data with SAP and non-SAP systems. Node.js modules are often packaged as Multi-Target Applications (MTA) in SAP cloud applications.

The installation of the compromised npm packages for Node.js can lead to the theft of sensitive credentials. This includes GitHub tokens, npm tokens, and cloud credentials. Mini Shai-Hulud uses public GitHub repositories for encrypted data exfiltration and may attempt to propagate through developer repositories or tooling configurations.

The affected packages include @cap-js/sqlite v2.2.2, @cap-js/postgres v2.2.2, @cap-js/db-service v2.10.1, and mbt v1.2.48.

Attack Details

• A malicious .vscode/tasks.json file is added with “runOn”: “folderOpen”, causing code to execute automatically when the folder is opened in VS Code.
• A modified .claude/settings.json is added with a SessionStart hook that runs when a Claude Code session begins.
• Both mechanisms download the Bun runtime and execute an obfuscated 11.2 MB JavaScript file (execution.js) with full user privileges.
• In CI, the release pipeline is tampered with to exfiltrate npm OIDC credentials and publish trojanized packages.

Recommended Actions

1. Do NOT open the cds-dbs directory (cap-js/sqlite) in VS Code or Claude Code. The attack relies on automatic execution triggers that immediately run malicious code when the project is opened.
2. Verify whether your system has been impacted.
   
   Using a shell outside of any IDE, execute:
   
   ls path/to/cds-dbs/.claude/setup.mjs path/to/cds-dbs/.vscode/setup.mjs 2>/dev/null
   
   If any of these files are present, treat the system as compromised and proceed with incident response steps.

3. Do NOT pull updates or switch branches in this repository.
4. Identify whether affected SAP npm packages or versions were installed in developer workstations, build agents, or CI/CD pipelines.
5. Remove or upgrade compromised packages to clean versions.
6. Rotate GitHub, npm, cloud, CI/CD, and service account credentials that may have been exposed.
7. Review GitHub repositories for suspicious commits, workflow changes, .vscode/tasks.json, .claude/settings.json, or unexpected dependency updates.
8. Audit CI/CD logs, npm install activity, GitHub token usage, and cloud access events around the suspected exposure window.

Software Supply Chain Governance

The Mini Shai-Hulud malware campaign illustrates the growing risk of software supply chain attacks against modern SAP development environments. Rather than exploiting a vulnerability in SAP solutions directly, the campaign targets open-source npm packages used in SAP cloud development workflows, demonstrating how malicious code can enter an organization through trusted development tools, third-party libraries, and build pipelines.

This risk is not limited to custom SAP applications. Third-party applications that integrate with SAP solutions can also introduce exposure if they rely on compromised open-source components or libraries, potentially creating indirect paths to sensitive credentials, application data, repositories, or cloud environments. Mini Shai-Hulud reinforces the need for stronger governance over open-source dependencies, package sources, CI/CD pipelines, and developer credentials.

Unlike solutions that depend on open-source components, the Cybersecurity Extension for SAP from Layer Seven Security is completely closed-source and does not use open-source components, making it less vulnerable to software supply chain attacks that exploit public package ecosystems.

The post Mini Shai-Hulud: Malware Targeting the Software Supply Chain for SAP Development Tools appeared first on Layer Seven Security.

For organizations that rely on both SAP and Splunk, integrating SAP security logs with Splunk is an important step toward achieving unified enterprise threat detection for Security Operations Centers (SOC). However, direct integration is challenging due to the complexity of multiple SAP log sources, inconsistent log formats, high raw data volumes, ongoing maintenance demands, increased storage and licensing costs, and limited native enrichment for effective cross-platform threat correlation. As a result of the challenges detailed below, SOC teams often struggle to successfully connect SAP endpoints with Splunk.

Complexity of SAP log sources

SAP systems generate security-relevant events across multiple logs, including the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Change Document Log, and Read Access Log, as well as logs for HANA, BTP, Java, and other solutions. This makes direct integration with Splunk complex, especially across large SAP landscapes.

Lack of standardized log formats

SAP logs differ in format, structure, and storage method. Some logs are file-based, while others are stored in SAP tables. This creates challenges for consistent parsing, normalization, and ingestion into Splunk.

High log volume

Large SAP environments can generate very high volumes of raw log data. Transmitting this data to Splunk can increase network bandwidth usage, storage requirements, and SIEM licensing costs.

Integration maintenance burden

Organizations must maintain multiple integration points between SAP systems and Splunk. This includes managing connectivity, log collection, parsing rules, data retention, and archiving.

Limited enrichment in native SAP logs

Many SAP logs do not include the context needed for effective correlation in Splunk, such as source IP addresses, destination IP addresses, user context, system context, or business process details.

Difficult cross-platform correlation

SOC teams may struggle to correlate SAP activity with non-SAP telemetry from endpoints, networks, cloud platforms, identity systems, and other enterprise security tools.

Scalability challenges in large SAP landscapes

The complexity increases significantly when organizations need to integrate logs from multiple SAP systems, environments, applications, and instances.

Cost control

Sending large volumes of raw SAP log data into Splunk can increase infrastructure, storage, and licensing costs.

Operational noise

Raw SAP logs can contain large amounts of low-priority or repetitive events. Without filtering, normalization, and enrichment, SOC teams may face alert fatigue and reduced detection efficiency.

Reduced investigation efficiency

When SAP logs are incomplete, inconsistent, or difficult to correlate, analysts may need to manually investigate events across multiple SAP tools and Splunk searches, slowing incident response.

A further challenge is the lack of predefined rules in Splunk to detect SAP-specific threats. Splunk may centralize SAP logs, but it does not provide the intelligence required to interpret SAP events in the logs to identify threats. As a result, SOC teams often develop and maintain their own SAP-specific detection rules, despite lacking the specialized SAP security expertise required to do so effectively. This can lead to security blind spots and reduce the ability to successfully detect SAP threats.

These challenges can be addressed by integrating SAP logs with Splunk using the Cybersecurity Extension for SAP (CES). CES provides more than 1,200 out-of-the-box patterns for identifying threats in SAP solutions, enabling SOC teams to monitor SAP logs immediately without investing extensive time and effort in building and maintaining custom detection rules. It delivers the SAP-specific intelligence needed to interpret log activity in Splunk, while monthly updates keep detection content aligned with new threats and vulnerabilities affecting SAP solutions. CES generates and forwards alerts to Splunk in real time, and filters, normalizes, and enriches data before it reaches Splunk. This provides a simpler, faster, and more effective approach for integrating SAP security events with Splunk.

Data can be streamed from CES to Splunk using either the Universal Forwarder or Heavy Forwarder for Splunk. Both are software log collection agents. The Universal Forwarder is a more lightweight agent than the Heavy Forwarder and therefore consumes fewer system resources. The Heavy Forwarder can parse, transform, and even index data locally. However, these functions are not required by CES. The Heavy Forwarder requires higher resources than the Universal Forwarder. As an alternative to the Forwarders, data can be forwarded from CES to Splunk via Syslog (rsyslog). This method may be required if it is not possible to install the Universal Forwarder on the target SAP server.

Once the agent is installed and configured in the host for CES, it will stream data from CES to Splunk. The next step is to create an index in Splunk for CES. An index is a logical storage location where Splunk stores incoming data after it has been ingested and processed. When Splunk receives log or event data, it breaks the data into searchable events and stores them in the target index. Users can query the index to find, analyze, correlate, and report on data.

The final step is to install the Splunk app for the Cybersecurity Extension for SAP. The app is available on Splunkbase. Splunk apps are addons that include predefined data models, configurations, dashboards and reports for specific use-cases. They help to accelerate deployment, reduce operational effort, and improve adoption. The Splunk app for CES is installed as a .tgz package using either the Splunk Web Interface or Command Line Interface (CLI).  Once installed, you can access the app from the Splunk App menu.

The app parses the data from the CES index and provides preconfigured dashboards to analyze and manage results. The results are structured into three domains: Alerts, Vulnerabilities, and Security Notes. Each domain can be analyzed separately. Alerts are based on pattern matches for threat detection rules applied by CES. Rules can be tuned using exclusion rules in CES to reduce noise and false positives. They can be analyzed and filtered based on date, time, system, environment, priority, and other criteria. Vulnerabilities are system and user-related security weaknesses in SAP solutions detected by CES based on daily automated security scans using a library of 3000+ SAP-related checks.  Security notes are relevant, unapplied security patches calculated by CES. The app tracks the implementation status of security notes across SAP systems.

The app enables users to drill down from summary tiles and dashboards into detailed results for alert triage. These detailed results provide the context needed to answer the five Ws of security alerts:

Who
Identifies the user, service account, role, host, IP address, or system involved.

What
Describes the activity that occurred, such as a failed login, privilege change, suspicious command, vulnerable function call, data access, configuration change, or policy violation.

When
Shows when the event occurred, including the date, time, timezone, frequency, and whether the activity took place inside or outside normal operating hours.

Where
Identifies where the event occurred, such as the SAP system, client, application server, database, endpoint, cloud service, network segment, source location, or destination system.

Why
Explains the risk, business impact, and recommended investigation steps.

Status changes for alerts, vulnerabilities, and security notes are synchronized between CES and Splunk, ensuring that Splunk results remain current and reflect updates made by administrators in CES. Results are refreshed at regular intervals to further strengthen synchronization between the two solutions. The refresh rate can be adjusted to meet each organization’s specific requirements.

Integrating SAP logs with Splunk is more than a technical exercise. It is an opportunity to extend enterprise security monitoring to the systems that support an organization’s most critical business processes. By using CES to detect, filter, normalize, enrich, and forward SAP security events to Splunk, organizations can reduce integration complexity, lower operational overhead, and provide SOC teams with the SAP-specific intelligence needed to detect and respond to threats more effectively. The result is a faster, more scalable, and more actionable approach to SAP threat monitoring in Splunk.

The post From SAP Logs to Security Intelligence: Integrating SAP with Splunk appeared first on Layer Seven Security.

The April 2026 SAP Security Patch Day delivered a focused but significant set of updates, led by a critical SQL injection vulnerability. This flaw, covered by Hot News note 3719353, affects SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) and is caused by an insufficient authorization check in a user upload program. The patch resolves the issue by deactivating the executable code. Additionally, a high-risk vulnerability was patched in SAP ERP and S/4HANA via note 3731908, which addresses a missing authorization check that could allow attackers to overwrite ABAP reports. The month’s updates also included several lower-priority notes for missing authorization checks in S/4HANA and patches for Open Redirect, information disclosure, and code injection vulnerabilities across the SAP landscape.

Key Takeaways

• A critical SQL injection vulnerability was patched in SAP BPC and BW (Note 3719353).
• A high-risk authorization flaw in SAP ERP and S/4HANA could lead to report overwrites (Note 3731908).
• Multiple lower-priority notes address missing authorization checks in S/4HANA.
• Patches were also released for Open Redirect, information disclosure, and code injection flaws.
• A temporary workaround for the critical SQL injection is to restrict access to authorization object S_GUI.
  
  

What Are the Most Significant Vulnerabilities for April 2026?

The April 2026 SAP security notes are highlighted by a critical SQL injection vulnerability and a high-risk authorization flaw. The table below summarizes the most important patches released.

What Is the Critical SQL Injection Vulnerability?

Hot News note 3719353 patches a critical SQL injection vulnerability found in SAP Business Planning and Consolidation and SAP Business Warehouse. The issue is caused by an insufficient authorization check for user uploads within a specific ABAP program. The official fix deactivates the executable code in the program, which prevents it from being executed by any user. As a temporary workaround, administrators can restrict access to the authorization object S_GUI with activity 60.

What Other High-Risk Vulnerabilities Were Patched?

Note 3731908 addresses a high-risk missing authorization check in SAP ERP and S/4HANA. This vulnerability could be exploited to overwrite ABAP reports, which would impact their availability. A recommended workaround is to restrict access to the vulnerable programs, RGJVCORG and RGJVCORX, using authorization groups.

In addition, several other lower-priority security notes were released to fix missing authorization checks in S/4HANA, including 3703813, 3715177, 3715097, 3711682, 3530544, and 3716767.

What Other Flaws Were Addressed in April 2026?

SAP also released patches for several other vulnerabilities across its product suite:

• Open Redirect: Note 3692004 fixes an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP that could be used to redirect users to malicious websites.
• Information Disclosure: Note 3680767 addresses a flaw in SAP Human Capital Management (HCM) for S/4HANA that could leak sensitive information. A separate note, 3730639, patches an information disclosure vulnerability in SAP HANA Cockpit and HANA Database Explorer related to mTLS for X.509 Certificates.
• Code Injection: Note 3719397 fixes a code injection vulnerability in the Web Dynpro runtime of SAP NetWeaver Application Server Java, which could be exploited to compromise user sessions.

Frequently Asked Questions (FAQ)

What was the most critical SAP vulnerability for April 2026?
The most critical vulnerability was a SQL injection in SAP Business Planning and Consolidation and SAP Business Warehouse, addressed by Hot News note 3719353. It resulted from insufficient authorization checks for user uploads.

How can the critical SQL injection vulnerability be mitigated without patching?
As a temporary workaround, administrators can restrict user access to the authorization object S_GUI with activity 60 to prevent the vulnerable upload functionality from being used.

Which SAP products were affected by high-risk authorization issues?
SAP ERP and SAP S/4HANA were affected by a high-risk missing authorization check (Note 3731908) that could allow for the overwriting of ABAP reports. Multiple other lower-priority authorization issues were also patched in S/4HANA.

The post SAP Security Notes April 2026: Critical SQL Injection and High-Risk Flaws Patched appeared first on Layer Seven Security.

Moving Fiori applications like the Cybersecurity Extension for SAP from the traditional embedded model to SAP BTP offers significant advantages. While the embedded model simplifies landscapes by keeping frontend and backend components together, it often restricts innovation due to the limitations of older backend systems like ECC. Deploying on SAP BTP decouples the frontend, enabling modern user experiences with Horizon themes, and aligns with SAP’s “clean core” strategy by externalizing customizations. This cloud-based approach also unlocks advanced capabilities from SAP AI Core and the Generative AI Hub, such as intelligent analysis and conversational interfaces. The complete process to deploy the extension on SAP BTP’s Build Work Zone is a 45-minute, three-part procedure covering landscape preparation, CLI-based installation, and final Work Zone configuration.

Key Takeaways

• Deploy on SAP BTP to overcome the limitations of the traditional embedded model.
• BTP enables modern user experiences, a “clean core” strategy, and AI integration.
• The extension is deployed as a .mtar file using the Cloud Foundry CLI.
• The process involves three stages: Prepare, Install, and Configure.
• Total deployment and configuration time is approximately 45 minutes.

Why Deploy on SAP BTP Instead of the Embedded Model?

The first sentence of each paragraph should directly answer the question. The Cybersecurity Extension for SAP provides an SAP Fiori user experience that is usually deployed using the embedded Fiori model, which combines backend and frontend components in the same system. This model reduces landscape complexity, removes external communication for service calls, and can improve response times and stability. Operationally, the embedded model typically means fewer systems to maintain, monitor, and secure, and it simplifies lifecycle management.

However, the downside of the embedded model is that frontend applications are constrained by the limitations of backend systems. This can hold back innovation and the adoption of new capabilities in SAP Fiori applications. For example, the use of Horizon themes for a more unified user experience is only possible with higher versions of SAPUI5, which solutions like ECC cannot support with the embedded model.

SAP BTP overcomes these limitations by providing a separate cloud-based platform for Fiori applications. This supports user experience improvements and aligns with SAP’s strategy for a clean core by moving customizations to cloud extensions, leading to more stable SAP environments that are easier to maintain and upgrade. Deploying Fiori applications to SAP BTP also enables organizations to benefit from services available in SAP AI Core and Generative AI Hub for AI-driven analysis, predictive capabilities, and intelligent workflows.

Embedded Model vs. SAP BTP Deployment for Fiori Apps

This table compares the traditional embedded approach with deploying on the SAP BTP cloud platform.

What are the prerequisites for the SAP BTP landscape?

Before installing the extension, you must prepare your SAP BTP landscape, a process that takes about 45 minutes. Start by creating or confirming the subaccount in the SAP BTP Cockpit. Once the subaccount is created, complete the mandatory configuration.

• Verify Cloud Connector: Ensure the Cloud Connector is properly attached to the subaccount and its connection status is “established”.
• Confirm Destination: Confirm a destination named backend is present. Principal Propagation is the recommended authentication method for a trusted setup.
• Provision Cloud Foundry: Ensure your Cloud Foundry environment is provisioned. Create the instance and at least one space for deployments.
• Validate Entitlements: At the global account level, assign the SAP Build Work Zone entitlement to the target subaccount and confirm an active subscription.
• Assign Admin Roles: Assign the required admin role, such as the Launchpad_Admin role collection, to the operator who will configure the launchpad.

How do you install the extension using the Cloud Foundry CLI?

The Cybersecurity Extension for SAP is deployed as a .mtar archive via the Cloud Foundry command-line interface (CLI). First, install the SAP (Cloud Foundry) CLI on your workstation and add the HTML5 applications repository plugin.

Next, move the provided .mtar file into a working folder and open a command line in that directory. Log in to your Cloud Foundry organization and space by running cf login and following the prompts. Once the session is established, deploy the archive using the command cf deploy.

When the deployment completes, you can confirm the HTML5 apps were created by running cf html5-list. You can also verify the deployment visually by navigating to the HTML5 Applications area within your subaccount in the SAP BTP Cockpit.

How do you configure SAP Build Work Zone for the extension?

After installation, you must configure the SAP Build Work Zone site and user access. In your subaccount, open the SAP Build Work Zone subscription and launch the application. If no site exists, create one from the Work Zone entry point.

• Update Content Channel: In the Channel Manager, update the default content channel (HTML5).
• Import Content: The fastest path is to use the Content Manager to import the provided L7S content .zip file. After the import, you should see a bundle of objects including apps, a group, a page, a space, a role, and a catalog.
• Assign User Access: In the subaccount, assign the L7S role collection to the intended business users. Then, in the Work Zone Site Directory, confirm the site’s role assignment includes this role. Enabling multifactor authentication (MFA) for users via SAP Cloud Identity Services is highly recommended.

Once configured, log on to the site with a user who has the L7S role. The Cybersecurity Extension for SAP tile will be available in the launchpad.

Clicking the tile launches the application’s home screen.

Frequently Asked Questions (FAQ)

What is the embedded Fiori deployment model?
The embedded model is an architecture where SAP Fiori frontend components and the backend business logic reside on the same system. This approach simplifies the system landscape and reduces operational overhead but can limit the adoption of modern frontend technologies and innovations.

How long does it take to deploy the Cybersecurity Extension to SAP BTP?
The entire process, which includes preparing the BTP landscape, installing the extension via the CLI, and configuring the SAP Build Work Zone, typically takes around 45 minutes to complete for an experienced administrator.

What is a “clean core” in the context of SAP?
A “clean core” is an SAP strategy that advocates for keeping the core ERP system as standard and free of customizations as possible. Instead, custom developments and extensions are built on cloud platforms like SAP BTP, which makes the core system more stable and easier to upgrade.

What command is used to deploy the Cybersecurity Extension?
The extension is packaged as a .mtar file and is deployed to the SAP BTP Cloud Foundry environment using the cf deploy command from the SAP (Cloud Foundry) CLI.

The post How to Deploy the Cybersecurity Extension for SAP on SAP Build Work Zone appeared first on Layer Seven Security.

Layer Seven Security has successfully achieved certification under the CyberSecure Canada program, validating its strong cybersecurity posture and the application of recognized baseline security controls. This certification provides customers, especially those who rely on SAP systems, with independent assurance that Layer Seven Security operates within a structured and nationally recognized cybersecurity framework.

This certification reinforces Layer Seven Security’s commitment to maintaining robust internal security governance and operational safeguards. The CyberSecure Canada program was established by Innovation, Science and Economic Development (ISED) Canada and is based on controls developed by the Canadian Centre for Cyber Security. For organizations that depend on Layer Seven Security for SAP cybersecurity, this certification supports supply chain assurance, operational resilience, and simplifies vendor due diligence, third-party risk assessment, and procurement requirements. It provides customers with confidence in Layer Seven Security as a trusted, independently validated cybersecurity partner.

Key Takeaways

• Layer Seven Security is now certified under the Government of Canada’s CyberSecure program.
• The certification validates the company’s cybersecurity framework and controls.
• It provides special assurance for customers using SAP business-critical systems.
• Certification aids in vendor due diligence and third-party risk assessment.
• It demonstrates a commitment to reducing cyber risk and enhancing resilience.

What is the CyberSecure Canada Certification?

The CyberSecure Canada certification is a national program established by Innovation, Science and Economic Development (ISED) Canada to improve information security across the country. The program is based on a set of baseline cybersecurity controls developed by the Canadian Centre for Cyber Security, Canada’s authority on the subject. It is designed to provide organizations with a clear framework to protect against common cyber threats and demonstrate their commitment to security.

What Does This Certification Mean for SAP Customers?

For customers that rely on SAP systems to support business-critical processes, the certification provides independent validation that Layer Seven Security operates within a structured cybersecurity framework. It demonstrates that the company maintains robust internal security governance and operational safeguards. This government-backed national certification provides tangible assurance for vendor due diligence, third-party risk assessment, and procurement requirements, giving SAP customers confidence in Layer Seven Security as a trusted partner.

Which Security Controls Does the Certification Cover?

The certification addresses key threat scenarios and organizational cyber risk through practical and measurable safeguards. The control areas are designed to establish a foundational security baseline to reduce the likelihood and impact of compromise, service disruption, and data loss. These controls include:

• Incident response and recovery
• Automated patching
• Endpoint protection
• Secure configuration of devices and systems
• Identity and access management
• Multi-factor authentication
• Employee cybersecurity awareness
• Backup protection and encryption
• Perimeter defence
• Mobile device protection
• Secure use of cloud and outsourced IT services

Frequently Asked Questions (FAQ)

What is the CyberSecure Canada program?
CyberSecure Canada is a national cybersecurity certification program from the Government of Canada designed to help organizations improve their security posture by implementing a baseline of defined controls.

Why is this certification important for Layer Seven Security’s customers?
It provides independent, government-backed validation of Layer Seven Security’s internal security framework, which is crucial for vendor due diligence, third-party risk assessment, and procurement, especially for clients relying on SAP systems.

Who developed the security controls for the CyberSecure program?
The cybersecurity controls are developed from guidance published by the Canadian Centre for Cyber Security, which is part of the Communications Security Establishment.

The post Layer Seven Security Achieves CyberSecure Canada Certification appeared first on Layer Seven Security.

This advisory from Layer Seven Security summarizes the key patches released on March 10, 2026. The most critical vulnerabilities involve a Log4j issue in SAP Quotation Management Insurance, insecure deserialization in SAP NetWeaver, and a DoS risk in SAP SCM. These notes highlight the ongoing need for organizations to prioritize timely patching to secure their SAP landscapes from significant operational and security risks.

Key Takeaways for March 2026

• Critical Log4j Flaw: A command injection vulnerability in Apache Log4j bundled with SAP Quotation Management Insurance was patched under Hot News note 3698553.
• NetWeaver RCE: Hot News note 3714585 addresses a critical insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal that could allow remote code execution.
• High-Risk DoS: Note 3719502 patches a high-risk Denial of Service vulnerability in SAP Supply Chain Management.
• Total Patches: SAP released 14 security notes, including two Hot News, one high-priority, and 11 medium-priority issues.

What Are the Critical Vulnerabilities for March 2026?

SAP released two “Hot News” notes, reserved for the most critical vulnerabilities requiring immediate attention.

The first, note 3698553, patches a critical command injection vulnerability in Apache Log4j as bundled in SAP Quotation Management Insurance. The fix requires updating the package assembly for the FS-QUO-scheduler module to a secure version. As a temporary workaround, the log4j-1.2.17.jar file can be deleted from the {FS-QUO-scheduler}/lib directory.

The second, note 3714585, addresses an insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration. This flaw could lead to malicious remote code execution through the upload of user-supplied content. The patch, which is only available for NetWeaver AS Java 7.50, validates input before processing to secure the deserialization logic. For older, unmaintained versions, SAP refers to note 3660659 for security hardening guidance. Access to roles like superadminrole, systemadminrole, and contentadminrole should also be restricted.

What Was the High-Risk Vulnerability Patched?

Note 3719502 was released to patch a high-risk Denial of Service (DoS) vulnerability in SAP Supply Chain Management. The patch applies input validation for calls to a specific vulnerable Remote Function Module (RFM) to prevent excessive resource consumption that could render the system unavailable. The Cybersecurity Extension for SAP provides monitoring for calls to this vulnerable RFM.

What Other Vulnerabilities Were Addressed?

The remaining 11 security notes address medium-priority issues across various SAP products. This includes vulnerabilities in SAP NetWeaver AS ABAP, such as Server-Side Request Forgery (SSRF) and missing authorization checks, covered in notes 3689080, 3704740, and 3703856.

Frequently Asked Questions (FAQ)

Q: How many SAP security notes were released in March 2026?
A: SAP released 14 new security notes in March 2026, including two critical “Hot News” notes, one high-priority note, and 11 medium-priority notes.

Q: What was the most critical vulnerability patched in March 2026?
A: The most critical vulnerability was a command injection flaw in Apache Log4j bundled with SAP Quotation Management Insurance, addressed by Hot News note 3698553. This vulnerability allows for remote code execution.

Q: Is there a patch for the NetWeaver RCE vulnerability on older versions?
A: No, the direct patch for the insecure deserialization vulnerability (note 3714585) is only available for NetWeaver AS Java 7.50. For earlier versions, customers must apply security hardening measures as detailed in SAP note 3660659.

The post SAP Security Notes March 2026: Critical Log4j and RCE Flaws Patched appeared first on Layer Seven Security.

State-sponsored cyber attacks are a rapidly increasing threat to SAP solutions, driven by rising geopolitical tensions. Attackers target mission-critical SAP systems for espionage and sabotage, exploiting their wide attack surface and slow enterprise patching cycles. Defending these vital systems requires specialized vulnerability management, real-time threat detection, and a focused effort to harden specific SAP configurations against sophisticated adversaries.

Amid a tense global landscape, recent threat intelligence reports paint a stark picture of escalating state-sponsored cyber operations. According to the 2025 State of Information Security Report, 88% of security leaders are concerned about this threat. Data from CrowdStrike’s 2025 Global Threat Report shows a 150% increase in China-nexus threat activity, while their 2026 report noted a 266% surge in state-nexus intrusions in cloud environments. Similarly, Microsoft’s 2025 Digital Defense Report identified a 25% year-over-year increase in Russian operations against NATO-aligned countries. This heightened activity makes SAP environments, which house an organization’s most valuable data and processes, a primary target for espionage and disruption. Effective defense hinges on moving beyond generic security and adopting SAP-specific tools and practices to manage vulnerabilities and monitor for threats continuously.

Key Takeaways

• State-sponsored cyber attacks are increasing, with significant growth in activity attributed to China, Russia, and Iran.
• SAP systems are prime targets for espionage and sabotage due to their critical role and the high-value data they process.
• Threat actors exploit SAP vulnerabilities within 72 hours of disclosure, far outpacing typical enterprise patching cycles.
• Attackers often abuse legitimate SAP functions like RFC communications, service accounts, and transport processes to remain undetected.
• Effective defense requires SAP-specific tools for continuous vulnerability management and real-time threat detection.

What Evidence Shows an Increase in State-Sponsored Cyber Attacks?

Multiple leading cybersecurity reports confirm a dramatic rise in state-sponsored threat activity. Concerns are widespread, with the 2025 State of Information Security Report finding that 88% of cybersecurity leaders are worried about nation-state attacks.

Recent intelligence provides specific figures:

• China: CrowdStrike’s 2025 Global Threat Report detailed a 150% increase in China-nexus threat activity across sectors, with seven new adversary groups identified.
• Russia: The 2025 Digital Defense Report from Microsoft reported a 25% year-over-year increase in Russian state-linked cyber operations targeting NATO-aligned countries, focusing on government, IT, and research sectors.
• Iran: Mandiant’s 2025 M-Trends Report identified a 35% increase in malware attributed to Iran-nexus actors.
• Cloud Environments: The CrowdStrike 2026 Global Threat Report found a 266% increase in intrusions by state-nexus actors in cloud environments.

A 2026 report from the Google Threat Intelligence Group also highlighted that these actors are targeting not just IT infrastructure but also personally-identifiable information to compromise key individuals.

Why Are SAP Environments a Primary Target for Nation-States?

SAP environments are disproportionately affected by nation-state cyber activity because they are the operational core of an organization. These systems support mission-critical processes, store vast amounts of high-value data, and provide privileged integration paths to other critical solutions. Compromising an SAP system allows state-sponsored actors to perform espionage by exfiltrating sensitive data or conduct sabotage by disrupting the availability of essential resources. Furthermore, a breached SAP system can serve as a pivot point to attack connected systems and compromise both internal and external supply chains.

What Factors Amplify the Risk to SAP Solutions?

The risks to SAP solutions are amplified by a combination of their inherent complexity and common security management challenges. A primary factor is the wide attack surface, which includes APIs, cross-platform dependencies (database, OS), middleware, and integrations with identity providers.

This risk is compounded by two critical issues:

• Volume of Vulnerabilities: The constant discovery of new vulnerabilities in SAP solutions presents an ongoing challenge.
• Speed of Exploitation vs. Patching: Research from 2025 showed that threat actors exploit SAP vulnerabilities within 72 hours of public disclosure. In contrast, the average time for organizations to apply security patches is measured in weeks or months. This gap creates a significant window of opportunity for attackers. The 2026 CrowdStrike Global Threat Report noted that 42% of vulnerabilities are exploited even before public disclosure.

What Attack Methods Do State-Sponsored Actors Use Against SAP?

Nation-state actors often prefer attack methods that blend in with legitimate administrative behavior, making them difficult to detect. In SAP landscapes, this involves the abuse of standard system functions and processes.

Commonly abused access paths include:

• Trusted communications (RFC)
• Change management and system administration
• Batch/background jobs
• Transport processes
• Service accounts
• Remote support channels

How Can Organizations Harden SAP Systems Against These Threats?

To counter these tactics, it is critical to identify and address specific technical vulnerabilities within the SAP landscape. Hardening efforts should focus on restricting the functions that attackers commonly abuse. The following table outlines key attack vectors and corresponding hardening recommendations.

How Can Organizations Detect Malicious Activity in SAP?

Effective detection requires integrating SAP telemetry with security data from other endpoints, such as firewalls and identity systems. This correlation helps security teams distinguish between normal SAP events and malicious actions. Anomaly-based monitoring is also highly recommended to detect unusual system and user events that could indicate a compromise.

How Does the Cybersecurity Extension for SAP (CES) Help?

The Cybersecurity Extension for SAP (CES) is a specialized solution that enables organizations to detect and respond to state-sponsored threats in real time. It combines continuous vulnerability management with advanced threat detection tailored for SAP landscapes (on-premise, cloud, and hybrid). CES provides security teams with deeper context than generic tools by monitoring a broad set of SAP-specific telemetry, including application and infrastructure logs.

A key advantage of CES is its ability to reduce the attack surface. It performs scheduled scans for thousands of SAP vulnerabilities and misconfigurations, detects users with excessive privileges, and provides actionable remediation guidance. CES also identifies missing patches for vulnerabilities listed in the CISA KEV catalog.

For threat detection, CES uses both pattern matching and anomaly detection to identify indicators of compromise. Alerts are integrated with enterprise SIEM platforms, enabling SOC teams to correlate SAP activity with events across the entire network for a unified defense.

Frequently Asked Questions (FAQ)

Q: How quickly are SAP vulnerabilities being exploited?
A: Research from 2025 indicates that threat actors are exploiting newly disclosed SAP security vulnerabilities within 72 hours. This rapid exploitation far outpaces typical enterprise patching timelines, which are often measured in weeks or months, creating a significant window of risk.

Q: What kind of data are state-sponsored actors targeting?
A: State-sponsored actors target mission-critical business data for espionage and sabotage. Additionally, a 2026 Google Threat Intelligence Group report highlighted that they also target personally-identifiable information (PII), which can be used to compromise specific individuals within an organization.

Q: Why are generic security tools not enough for SAP?
A: Generic security tools typically focus on network and host-level activity and lack deep context into SAP’s specific architecture. SAP-specific solutions like the Cybersecurity Extension for SAP monitor a broader set of telemetry, including application logs, to identify vulnerabilities, misconfigurations, and indicators of compromise that are unique to the SAP environment.

The post State-Sponsored Cyber Attacks on SAP: A Guide to Threats and Defenses appeared first on Layer Seven Security.

The February 2026 SAP Security Notes patch day released a significant number of fixes, with two marked as “Hot News” due to their critical nature. The most severe is a code injection vulnerability detailed in note 3697099, affecting SAP S/4HANA and SAP CRM. This flaw allows attackers to execute arbitrary SQL statements, potentially leading to a full database compromise. The second critical issue, covered in note 3674774, is a missing authentication check for background RFCs in SAP NetWeaver AS ABAP, which could allow unauthorized function execution. Additional high-priority patches address an XML Signature Wrapping vulnerability in NetWeaver, information disclosure, and denial of service vulnerabilities in SAP BusinessObjects.

Key Takeaways

• A critical code injection vulnerability in SAP S/4HANA and CRM was patched.
• A missing authentication check in SAP NetWeaver AS ABAP for background RFCs was fixed.
• Note 3697567 addresses an XML Signature Wrapping vulnerability.
• Patches were also released for information disclosure in the ST-PI Addon.
• Vulnerabilities including open redirect and denial of service were fixed in SAP BusinessObjects.

What Are the Most Critical SAP Vulnerabilities for February 2026?

The most critical vulnerabilities patched in February 2026 are two “Hot News” notes impacting core SAP systems. These require immediate review and patching to mitigate the risk of exploitation.

The first, detailed in note 3697099, is a critical code injection vulnerability in the Scripting Editor component of SAP S/4HANA and SAP CRM. It allows an attacker to execute arbitrary SQL statements by calling function modules, which could lead to a full compromise of the database. As a temporary workaround, SAP suggests deactivating the CRMICISE ICF service.

The second, covered by note 3674774, addresses a critical missing authentication check for background RFCs (tRFC and qRFC) in SAP NetWeaver AS ABAP. This could allow a low-privileged user to execute functions without proper authorization. To fully enable the fix, the profile parameter rfc/authCheckInPlayback must be set to the value 2 in addition to applying the support package.

What Other Notable SAP Patches Were Released?

Beyond the two critical “Hot News” items, SAP released several other important security patches for NetWeaver and BusinessObjects.

Note 3697567 enhances verification for XML signatures to fix an XML Signature Wrapping vulnerability in NetWeaver AS ABAP. This could prevent attackers from manipulating signed documents to gain unauthorized access. A potential workaround involves disabling SAML and using alternative authentication methods.

An information disclosure vulnerability in the ST-PI Addon for NetWeaver AS ABAP is patched by note 3705882. This flaw could be exploited to obtain sensitive system information.

Finally, a series of notes including 3674246, 3678282, and 3654236 address multiple open redirect and denial of service vulnerabilities within SAP BusinessObjects.

Frequently Asked Questions (FAQ)

What was the most critical SAP vulnerability for February 2026?
The most critical vulnerability was a code injection flaw in SAP S/4HANA and SAP CRM, covered by Hot News note 3697099. It allows for arbitrary SQL execution via the Scripting Editor.

How do I fix the missing authentication check in SAP NetWeaver?
To fix the vulnerability from note 3674774, you must apply the recommended support package and set the profile parameter rfc/authCheckInPlayback to the value 2 to enforce stronger authorization checks.

What systems were affected by the February 2026 patches?
Key systems affected include SAP S/4HANA, SAP CRM, SAP NetWeaver AS ABAP, and SAP BusinessObjects.

The post SAP Security Notes February 2026: Critical Code Injection and Authentication Flaws appeared first on Layer Seven Security.

The Digital Operational Resilience Act (DORA) is an EU regulation that requires financial institutions to ensure their Information and Communications Technology (ICT) systems can withstand, respond to, and recover from disruptions. For organizations using SAP for critical functions, this means SAP solutions must be governed, monitored, and tested to meet DORA’s stringent standards for operational resilience.

This guide explains how the EU’s Digital Operational Resilience Act (DORA) impacts SAP solutions and outlines a clear path to achieving compliance. DORA mandates a comprehensive framework for ICT risk management, incident reporting, resilience testing, and third-party risk oversight, all of which apply to the SAP systems that underpin core financial operations. Because SAP often handles critical processes like procurement, HR, and finance, it falls directly within the scope of DORA’s requirements. Achieving compliance involves integrating SAP into a broader ICT governance strategy, implementing continuous monitoring and testing, and managing risks from third-party providers like hosters and system integrators. Specialized tools can streamline this process by automating vulnerability management, threat detection, and compliance reporting specific to the SAP environment.

Key Takeaways

• DORA is a mandatory EU regulation for the financial sector, effective as of January 17, 2025, to strengthen ICT operational resilience.
• SAP systems that support critical business functions like finance and HR are in scope for DORA compliance.
• Compliance is structured around five key pillars: ICT Risk Management, Incident Reporting, Resilience Testing, Third-Party Risk, and Information Sharing.
• Organizations must integrate SAP solutions into their overall ICT risk governance, security operations (SOC), and supplier management processes.
• Specialized solutions like the Cybersecurity Extension for SAP can help automate monitoring, testing, and reporting to meet DORA requirements.

What are the Five Pillars of DORA?

DORA’s core objective is to ensure the continuity and integrity of financial services by strengthening resilience against ICT risks and cyberattacks. The regulation is built upon five interconnected pillars that create a comprehensive framework for digital operational resilience.

• ICT Risk Management: Establish a comprehensive governance and control framework to manage all ICT assets, including detailed policies for protection, detection, response, and recovery.
• Incident Management and Reporting: Implement consistent processes for managing, classifying, and reporting all ICT-related incidents, with mandatory reporting for major disruptions.
• Digital Operational Resilience Testing: Conduct regular vulnerability assessments and penetration testing, with a focus on the critical functions that support essential business services.
• Third-Party Risk Management: Enforce strict oversight for all ICT vendors and service providers, including cloud hosters, software providers, and outsourced services.
• Information Sharing: Participate in arrangements to share cyber threat intelligence and information to help strengthen the resilience of the entire financial sector.

How Does DORA Impact SAP Solutions?

For most financial services organizations, SAP solutions are the backbone of critical operations, including procurement, supplier management, human resources, and finance. As such, they are a significant part of the ICT landscape that DORA governs. The regulation effectively requires organizations to treat their SAP solutions as regulated platforms, demanding a higher standard of control, monitoring, and reporting.

Under DORA, SAP systems require tight integration with the organization’s broader resilience strategy, including:

• ICT Risk Governance: SAP-specific risks must be identified, and key risk indicators (KRIs) must be defined, monitored, and tested.
• SOC Operations: Security incidents within SAP must be detected, triaged, and handled in coordination with the central Security Operations Center.
• Service Management: All changes to SAP systems must go through formal approval, with evidence and testing to ensure they do not introduce new risks.
• Supplier Management: Risks associated with SAP hosting providers, system integrators, and external API connections must be actively managed.

How Does the Cybersecurity Extension for SAP Support DORA Compliance?

The Cybersecurity Extension for SAP (CES) is a solution designed to help organizations meet DORA’s requirements by identifying risks, detecting threats, and verifying compliance within their SAP landscape. The platform provides measurable, auditable evidence of security controls across all five pillars of DORA.

The following table details how the features of the Cybersecurity Extension for SAP map to the five pillars of DORA:

By implementing a solution like the Cybersecurity Extension for SAP, organizations can strengthen their digital resilience, reduce their exposure to cyber risks, and ensure their SAP solutions are secure, monitored, and audit-ready for DORA compliance.

Frequently Asked Questions (FAQ)

What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA) is a regulation from the European Union designed to strengthen the cybersecurity and operational resilience of financial entities. It establishes a unified framework for managing ICT risks to ensure firms can withstand and recover from severe digital disruptions.

Do SAP systems need to be DORA compliant?
Yes, if an SAP system supports critical functions (e.g., finance, procurement, HR) within a financial institution in the EU, it falls under the scope of DORA. The organization is responsible for ensuring the resilience and security of the entire ICT landscape, including its SAP solutions.

What are the main requirements of DORA?
DORA’s main requirements are organized into five pillars: ICT Risk Management, Incident Management and Reporting, Digital Operational Resilience Testing, Third-Party Risk Management, and Information Sharing. These pillars mandate a comprehensive approach to identifying risks, testing defenses, reporting incidents, and managing vendors.

The post Digital Operational Resilience Act (DORA) Compliance for SAP Solutions appeared first on Layer Seven Security.