SAP security note 3746332 addresses CVE-2026-44748, an XML Signature Wrapping vulnerability in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform. The vulnerability allows an authenticated low-privileged attacker to obtain a valid signed SAML or signed XML message, manipulate the XML structure, and submit a modified document that may still pass signature validation if the verifier processes unsigned or attacker-controlled identity elements. Successful exploitation could result in tampered SAML assertions being accepted by the SAP system, enabling unauthorized access to sensitive user data, privilege misuse, identity impersonation, and disruption of normal application processing. The issue affects the trust boundary between XML signature verification and SAML identity consumption, making it particularly relevant for systems using SSO, Web Service Security, or federated authentication. SAP has corrected the affected functions to enforce proper XML signature validation and recommends implementing the correction instructions or relevant Support Packages. Disabling SAML authentication is available as a temporary workaround but should only be used after assessing operational impact, as the permanent remediation is to apply the SAP-provided corrections.

Note 3717897 patches CVE-2026-27671, a memory corruption vulnerability in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform. The vulnerability impacts kernel-level RFC protocol handling for ABAP-based SAP systems, including SAP NetWeaver AS ABAP and ABAP Platform systems that use affected SAP Kernel patch levels. Due to improper validation of RFC protocol requests, an unauthenticated attacker could send a specially crafted RFC request to the application server and trigger logical errors in kernel memory management, potentially resulting in buffer overflow, heap overflow, or broader memory corruption conditions. Successful exploitation could compromise the confidentiality, integrity, and availability of the affected SAP application by enabling unauthorized data access, manipulation of application processing, service instability, or system disruption. SAP has corrected the issue through improved RFC protocol validation in the SAP Kernel, and remediation requires applying the relevant Kernel patch delivered through the applicable hotfix archive, such as dw.sar, or the SP Stack Kernel archives SAPEXE.SAR and SAPEXEDB.SAR. Customers should apply the latest available SAP Kernel patch level that contains the correction, review relevant regression guidance before deployment, and upgrade to a supported downward-compatible kernel where the current kernel release is out of maintenance.

Note 3727078 addresses CVE-2026-40128, a directory traversal vulnerability in the Web Container component of SAP NetWeaver Application Server Java. The vulnerability impacts Java-based SAP systems where the Web Container processes HTTP logon requests and associated file inclusion parameters. Due to insufficient path validation, an unauthenticated attacker could craft a malicious HTTP logon request that uses path traversal sequences to escape the intended application context and cause the server to process an unintended local file. Successful exploitation could expose or alter sensitive information, depending on the file reached and how it is processed, and could also affect system availability by rendering parts of the local system or application runtime unavailable. The issue is constrained by certain environmental conditions outside the attacker’s control, but the unauthenticated attack vector makes affected SAP NetWeaver AS Java systems, especially externally reachable logon endpoints, high priority for remediation. SAP has corrected the Web Container logic to prevent traversal outside the intended context, and customers should implement the referenced Support Packages and patches, with additional guidance available in SAP Note 1974464 and FAQ Note 3758864. No workaround is available, so applying the SAP-provided patches is the only effective remediation.

Note 3748262 patches CVE-2026-22732, a Spring Security vulnerability impacting SAP Commerce Cloud and SAP Data Hub through their use of vulnerable Spring Security versions. The issue affects the HTTP security header enforcement layer, where specific request paths may finalize the HTTP response before Spring Security can write required response headers, including security headers that protect against client-side and browser-mediated attack scenarios. In SAP Commerce Cloud, security headers are set through a multi-layer mechanism, but headers managed exclusively by Spring Security may not be covered by an alternate fallback path, creating a potential exposure where responses are delivered without the expected security controls. Successful exploitation could weaken browser-side protections and increase the risk of confidentiality and integrity compromise, although SAP indicates there is no impact on availability. SAP has remediated the issue by upgrading Spring Security to non-vulnerable versions in SAP Commerce Patch Release 2205.50, SAP Commerce Cloud Public Cloud Update Releases 2211.52 and 2211-jdk21.10, and SAP Data Hub Patch Releases 2205.50 and 2211.52. Customers should apply the relevant patch or update release, rebuild and redeploy SAP Commerce Cloud where applicable, and review FAQ Note 3761279 for required actions and implementation guidance.

The post SAP Security Notes, June 2026 appeared first on Layer Seven Security.

Background
The Verizon Data Breach Investigations Report, widely known as the DBIR, is one of the most respected annual reports in the cybersecurity industry. Published by Verizon, the report analyzes real-world security incidents and confirmed data breaches to identify attack vectors, threat actors, and defensive measures. Since its first edition in 2008, the DBIR has become a key reference for security leaders, risk managers, auditors, and technology teams seeking an evidence-based view of the global threat landscape.

The 2026 DBIR, released on May 19, 2026, is the 19th edition of the report. It is based on an analysis of more than 31,000 real-world security incidents and more than 22,000 confirmed data breaches. The underlying dataset includes contributions from a broad range of organizations, including law enforcement agencies, forensic firms, law firms, cyber insurers, cybersecurity information-sharing groups, and Verizon’s own Threat Research Advisory Center. The report covers incidents that occurred between November 1, 2024, and October 31, 2025, providing a structured view of breach patterns across industries, regions, attack methods, threat actors, and compromised assets.

This article examines the key findings of the Verizon DBIR 2026 from an SAP security perspective. It assesses the implications of the report for SAP solutions and outlines the changes organizations should consider across SAP vulnerability management, patching, access control, third-party connectivity, and threat detection in response to the evolving threat landscape.

Key Takeaways

1. Vulnerability exploitation is now the leading breach entry point
2. The patching window is shrinking
3. Ransomware remains a major breach driver
4. Third-party and supply chain involvement is increasing
5. The human element is still material
6. Shadow AI introduces data leakage risk

1. Vulnerability exploitation is now the leading breach entry point
According to the DBIR, 31% of breaches now start with software vulnerability exploitation, overtaking stolen credentials for the first time in the DBIR’s 19-year history. This is especially relevant for SAP because SAP landscapes often include large numbers of components, add-ons, kernel versions, ABAP code, Java components, RFC services, ICM services, SAP Gateway, SAP Web Dispatcher, SAP HANA, and SAP BTP integrations. Any delay in applying SAP Security Notes, support packages, kernel updates, or compensating controls increases exposure.

SAP Takeaway: Vulnerability management should be treated as a primary SAP security control, not a periodic maintenance task. Organizations need continuous identification of applicable SAP security notes, prioritization based on exploitability and business risk, and compensating controls where patches cannot be applied immediately.

2. The patching window is shrinking
The DBIR highlights that AI is accelerating the time between vulnerability disclosure and exploitation, reducing the defender’s window from months to hours. The median time for full patching increased to 43 days, up from 32 days the prior year, while organizations patched only 26% of CISA KEV-listed defects in the analyzed period.

SAP Takeaway: Traditional monthly or quarterly SAP patch cycles may not be sufficient for high-risk vulnerabilities. SAP teams need a faster process for identifying exposed systems, applying emergency corrections, implementing virtual patches or workarounds, and monitoring for exploitation attempts.

3. Ransomware remains a major breach driver
The DBIR states that 48% of breaches involve ransomware. For SAP environments, the impact of ransomware is not limited to encrypted servers or endpoints. SAP systems support finance, procurement, manufacturing, HR, logistics, supply chain, and customer operations. Disruption to SAP can become a business continuity event.

SAP Takeaway: SAP systems should be included in ransomware resilience planning. This includes hardening privileged access, securing SAP service accounts, monitoring suspicious administrative activity, protecting backups, restricting OS and database-level access, and detecting unusual behavior across SAP application, database, and host layers.

4. Third-party and supply chain involvement is increasing
Verizon reports that breaches involving third parties increased by 60% and now account for 48% of all breaches. This maps directly to SAP risk because SAP environments commonly depend on third-party support providers, implementation partners, managed service providers, hyperscalers, SaaS integrations, add-ons, transports, RFC connections, APIs, and open-source components used in extensions.

SAP Takeaway: SAP security programs should assess third-party access, partner-managed accounts, remote connectivity, transports, software components, cloud connectors, API integrations, and outsourced support models. Third-party risk should not stop at contracts and questionnaires; it needs technical validation inside the SAP landscape.

5. The human element is still material
The DBIR reports that 62% of breaches involved a human element with social engineering accounting for 16% of breaches. It also notes that mobile-centric phishing is seeing higher success than traditional email phishing.

SAP Takeaway: SAP users with privileged business or technical access remain attractive targets. Compromised credentials for SAP_ALL users, Basis administrators, developers, RFC users, emergency access users, or business users with sensitive transaction access can lead to fraud, data theft, privilege abuse, or system compromise. MFA, SoD controls, least privilege, user behavior monitoring, and privileged access governance remain essential.

6. Shadow AI introduces data leakage risk
The DBIR highlights rapid growth in employee use of unapproved AI tools, with regular AI usage rising from 15% to 45%*of employees in one year. The report also notes that many users access AI services from corporate devices using non-corporate accounts.

SAP Takeaway: SAP data is often highly sensitive: customer records, pricing, contracts, payroll, finance, material master data, supplier information, production data, and regulated personal data. Organizations should prevent users from copying SAP exports, reports, ABAP code, logs, configuration data, or incident details into unmanaged AI platforms. Data loss prevention, access monitoring, and AI usage policies should explicitly cover SAP data.

Recommendations
The most significant message from the DBIR 2026 is that SAP security needs to shift from periodic compliance checking to continuous exposure management. Vulnerabilities, third-party dependencies, identity abuse, ransomware, and AI-accelerated exploitation are all time-sensitive risks. SAP landscapes need faster detection, faster prioritization, and faster mitigation.

For SAP solutions, the practical priorities are:

1. Continuously identify applicable SAP vulnerabilities across ECC, S/4HANA, SAP HANA, SAP Java, SAP Web Dispatcher, SAProuter, SAP BTP, Cloud Connector, and connected components.

2. Prioritize SAP Security Notes based on exploitability, exposure, system criticality, and compensating controls, not only CVSS score.

3. Use virtual patching or workarounds when official patches cannot be applied quickly, especially for external-facing systems, unsupported systems, or systems under third-party support.

4. Monitor SAP-specific indicators of compromise, including suspicious RFC activity, failed logons, privilege changes, debug activity, dangerous function module execution, ICM abuse, Gateway misuse, HANA administrative events, and changes to critical configuration.

5. Strengthen privileged access controls, especially for SAP_ALL, SAP_NEW, emergency users, technical users, RFC users, developers, Basis administrators, and database administrators.

6. Validate third-party access and integrations, including support connections, SAP Cloud Connector, APIs, RFC destinations, middleware, add-ons, transports, and managed service provider accounts.

7. Include SAP in ransomware and incident response planning, with SAP-specific logging, backup validation, recovery procedures, and escalation playbooks.

8. Control leakage of SAP data into AI tools, especially exports, reports, custom code, logs, configuration data, and sensitive business records.

Conclusion
The Verizon DBIR 2026 reinforces that the greatest SAP risks are no longer theoretical. Attackers are exploiting known vulnerabilities faster, using automation and AI to reduce the time to compromise, and increasingly entering through third parties and exposed software flaws. For SAP customers, the key takeaway is clear: SAP vulnerability management, threat detection, access governance, and compensating controls need to operate continuously across the full SAP application, database, cloud, and integration landscape.

The Cybersecurity Extension for SAP Supports DBIR 2026 Response Priorities
The Cybersecurity Extension for SAP enables organizations to respond to the key takeaways of the Verizon DBIR 2026 by providing continuous security monitoring, vulnerability management, patch management, compliance management, access control analysis, custom code security, and threat detection for SAP solutions. The platform identifies applicable SAP security notes based on installed software components and versions, helping organizations prioritize vulnerabilities based on relevance, exposure, and system risk rather than CVSS score alone. Where patches cannot be applied immediately, it supports compensating controls and virtual patching through predefined workarounds, access restrictions, configuration hardening, and enhanced monitoring. The solution also detects SAP-specific indicators of compromise across application, database, cloud, and integration layers, including suspicious RFC activity, privilege changes, failed logons, dangerous function execution, SAP HANA administrative events, and critical configuration changes. By combining vulnerability intelligence, access governance, custom code analysis, and real-time threat detection in a unified SAP-certified platform, the Cybersecurity Extension for SAP helps organizations move from periodic compliance checks to continuous exposure management across their SAP landscapes.

Frequently Asked Questions

What is the Verizon DBIR?
The Verizon Data Breach Investigations Report, or DBIR, is an annual cybersecurity report that analyzes real-world security incidents and confirmed data breaches. It is widely used by security leaders, risk teams, auditors, and technology teams to understand how breaches occur, which attack methods are most common, and which security controls should be prioritized.

Why is the DBIR relevant to SAP security?
The DBIR is not focused specifically on SAP, but many of its findings directly apply to SAP environments. SAP systems often support critical business processes and contain sensitive financial, operational, customer, supplier, and HR data. Findings related to vulnerability exploitation, ransomware, third-party risk, credential abuse, and data leakage are therefore highly relevant to SAP landscapes.

What is the most important DBIR 2026 takeaway for SAP customers?
The most important takeaway is that SAP security needs to move from periodic compliance checking to continuous exposure management. The report shows that attackers are exploiting vulnerabilities faster, while SAP environments often involve complex patching cycles, integrations, custom code, and third-party dependencies.

How does vulnerability exploitation affect SAP solutions?
SAP landscapes include many components that may introduce exploitable vulnerabilities, including ABAP systems, SAP HANA, SAP Java, SAP Web Dispatcher, SAProuter, SAP Gateway, RFC services, ICM services, SAP BTP integrations, add-ons, and custom code. Delays in applying SAP Security Notes, support packages, kernel updates, or compensating controls can increase the risk of compromise.

Why are traditional SAP patching cycles no longer sufficient?
The DBIR highlights that the time between vulnerability disclosure and exploitation is shrinking. For SAP customers, this means monthly or quarterly patching cycles may not be fast enough for high-risk vulnerabilities, especially for external-facing systems, systems with sensitive data, or systems that cannot be patched quickly due to operational constraints.

What are compensating controls in SAP security?
Compensating controls are alternative safeguards used when a patch or correction cannot be applied immediately. In SAP environments, these may include access restrictions, disabling vulnerable services or objects, configuration hardening, network-level controls, enhanced logging, threat detection rules, and virtual patching.

How does third-party risk apply to SAP environments?
SAP environments commonly rely on implementation partners, managed service providers, third-party support vendors, cloud providers, middleware, add-ons, RFC connections, APIs, and SaaS integrations. These dependencies can increase exposure if third-party access, remote connectivity, transports, technical users, or integrations are not properly governed and monitored.

How should SAP customers respond to ransomware risk?
SAP systems should be included in ransomware resilience planning. This includes protecting SAP backups, monitoring privileged activity, restricting OS and database access, securing service accounts, reviewing administrative permissions, and detecting unusual behavior across the SAP application, database, host, cloud, and integration layers.

Why is the human element important for SAP security?
Compromised SAP users can create significant risk, especially when they have privileged technical or business access. Accounts such as SAP_ALL users, Basis administrators, developers, RFC users, emergency access users, and users with sensitive transaction access should be governed through least privilege, segregation of duties, MFA, monitoring, and periodic access reviews.

How does shadow AI create risk for SAP data?
Shadow AI can expose sensitive SAP data if users copy reports, exports, logs, custom code, configuration details, or incident data into unmanaged AI tools. SAP data often includes financial records, pricing, customer data, supplier data, payroll information, production data, and regulated personal information, making AI-related data leakage a material risk.

How can the Cybersecurity Extension for SAP help organizations respond to the DBIR findings?
The Cybersecurity Extension for SAP supports continuous vulnerability management, SAP security notes analysis, patch prioritization, compensating controls, custom code security, access control analysis, compliance management, and SAP-specific threat detection. It helps organizations identify applicable vulnerabilities, monitor indicators of compromise, validate access risks, and move toward continuous exposure management across SAP application, database, cloud, and integration layers.

The post Key Takeaways of the DBIR 2026 for SAP Solutions appeared first on Layer Seven Security.

Executive Summary

SAP’s security updates for May 2026 highlight critical risks across the enterprise landscape, from developer tooling to core business applications. The most urgent issue is SAP Security Note 3747787, which details the Mini Shai-Hulud supply-chain attack targeting SAP cloud developers through malicious npm packages. This campaign aimed to steal high-value developer, cloud, and CI/CD credentials. Additionally, SAP released patches for three other significant vulnerabilities. A “Hot News” SAP Security Note 3724838 addresses a critical SQL injection vulnerability (CVE-2026-34260) in SAP S/4HANA that could expose sensitive data. SAP Security Note 3733064 fixes a missing authentication check (CVE-2026-34263) in SAP Commerce Cloud, which could allow for remote code execution. Finally, SAP Security Note 3732471 patches a high-risk OS command injection (CVE-2026-34259) in SAP Forecasting & Replenishment, potentially leading to a full system compromise.

Key Takeaways

• A software supply-chain attack named “Mini Shai-Hulud” targeted SAP developers via malicious npm packages to steal credentials.
• A critical “Hot News” SQL injection vulnerability (CVE-2026-34260) was patched in SAP S/4HANA Enterprise Search.
• A missing authentication check in SAP Commerce Cloud (CVE-2026-34263) could allow an unauthenticated attacker to execute code.
• A high-risk OS command injection flaw (CVE-2026-34259) was fixed in SAP Forecasting & Replenishment.
• Organizations must act urgently to identify affected systems and apply all relevant patches to prevent data exposure and system compromise.

May 2026 SAP Security Vulnerabilities Overview

What is the Mini Shai-Hulud Supply-Chain Attack? (Note 3747787)

SAP Security Note 3747787 is an urgent advisory addressing the Mini Shai-Hulud malware campaign. This attack targeted the software supply chain for SAP cloud development by injecting malicious code into popular npm packages, including mbt, @cap-js/sqlite, and others associated with SAP CAP and MTA tooling. The malware executed automatically during npm install, using a preinstall script to download the Bun runtime and launch a credential-stealing payload.

The primary goal was to steal developer, GitHub, npm, cloud, and CI/CD credentials from developer workstations and build environments. The malware also attempted to propagate by using stolen tokens to publish itself to other packages and created persistence mechanisms in IDEs like VS Code. Because of the risk of stolen credentials and persistent access, simply removing the package is insufficient. Recommended actions include identifying all systems where the packages were installed, rotating all potentially exposed credentials, and searching for indicators of compromise like suspicious GitHub repositories or modified IDE configurations.

What is the SQL Injection Vulnerability in S/4HANA? (Note 3724838)

SAP Security Note 3724838 patches a “Hot News” SQL injection vulnerability, tracked as CVE-2026-34260, in SAP S/4HANA’s Enterprise Search for ABAP. The vulnerability affects SAPBASIS releases 7.51 through 7.58 and 8.16. It arises because user-controlled input is not properly sanitized before being passed to the database.

An authenticated attacker could exploit this flaw to inject malicious SQL statements, allowing them to gain unauthorized access to sensitive database information. While the vulnerability does not impact data integrity, it has a high impact on confidentiality and could cause application instability or crashes, affecting availability. SAP’s correction validates user input to prevent the execution of malicious SQL.

What is the Missing Authentication Vulnerability in Commerce Cloud? (Note 3733064)

SAP Security Note 3733064 addresses a critical missing authentication check in SAP Commerce Cloud, identified as CVE-2026-34263. The issue stems from an improper Spring Security configuration with overly permissive access rules, which could allow an unauthenticated attacker to access a sensitive configuration upload function.

This vulnerability poses a severe risk, as an attacker could upload a malicious configuration to achieve arbitrary server-side code execution. Successful exploitation could lead to a complete compromise of the application’s confidentiality, integrity, and availability. SAP has addressed the flaw by disabling the configuration upload functionality by default. The fix is available in SAP Commerce Cloud releases 2205.49, 2211.51, and 2211-jdk21.10.

What is the OS Command Injection in Forecasting & Replenishment? (Note 3732471)

SAP Security Note 3732471 fixes a high-risk OS command injection vulnerability (CVE-2026-34259) in SAP Forecasting & Replenishment. The flaw could allow an authenticated attacker with administrative privileges to execute arbitrary operating system commands by abusing a function module with insufficient input validation.

Successful exploitation could lead to a complete compromise of the system’s confidentiality, integrity, and availability. An attacker could read, modify, or delete system data, execute unauthorized commands on the server, or shut down the system entirely. SAP has corrected the issue by implementing proper authorization checks and command screening.

Frequently Asked Questions (FAQ)

What was the most urgent SAP security issue in May 2026?
The most urgent issue was the Mini Shai-Hulud software supply-chain attack detailed in SAP Security Note 3747787. It targeted high-value developer and cloud credentials via malicious npm packages, posing a significant risk of widespread compromise.

Which SAP products had critical or high-risk vulnerabilities?
Critical or high-risk vulnerabilities were patched in SAP S/4HANA (SQL Injection, CVE-2026-34260), SAP Commerce Cloud (Missing Authentication/RCE, CVE-2026-34263), and SAP Forecasting & Replenishment (OS Command Injection, CVE-2026-34259).

What is Mini Shai-Hulud?
Mini Shai-Hulud is a malware campaign that targeted SAP developers by compromising trusted npm packages used for SAP cloud development. The malware was designed to automatically execute upon installation and steal a wide range of credentials, including those for GitHub, npm, and cloud services.

What action is recommended for these vulnerabilities?
Organizations should immediately review the specific SAP Security Notes to identify affected systems. It is critical to apply the recommended patches, correction instructions, or support packages as soon as possible to mitigate the risk of data breaches, system compromise, and operational disruption.

The post SAP Security Notes May 2026: Supply-Chain Attack and Critical Vulnerabilities Explained appeared first on Layer Seven Security.

This incident represents a significant software supply chain attack against the SAP ecosystem, exploiting the trust developers place in open-source packages. The malware, a variant of the “Shai-Hulud” worm, was embedded in four npm packages related to the SAP Cloud Application Programming Model (CAP) and Multi-Target Applications (MTA). Upon installation, it used automation features in popular code editors and pre-install scripts to execute a payload that harvested credentials and exfiltrated them by creating public GitHub repositories. This advisory details the attack, lists the affected packages, and provides clear remediation steps for developers and organizations to secure their environments.

Key Takeaways

• Targeted Supply Chain Attack: Mini Shai-Hulud specifically targeted SAP developers via malicious npm packages.
• Credential Theft: The primary goal was to steal GitHub tokens, npm tokens, and cloud credentials.
• Four Packages Compromised: Specific versions of @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt were affected.
• Immediate Action Required: Organizations must check for compromised systems, remove malicious packages, and rotate all potentially exposed credentials.
• Highlights Open-Source Risk: The attack underscores the need for governance over open-source dependencies in enterprise development.

Which SAP npm Packages Were Affected?

The Mini Shai-Hulud malware was found in specific versions of four npm packages commonly used in SAP cloud development. On April 30, SAP released SAP Security Note 3747787 in response to the discovery. The packages were available in the compromised state for approximately two to four hours on April 29, 2026.

These packages are connected to the SAP Cloud Application Programming Model (CAP) and are used to build service layers, APIs, and extensions for various SAP solutions on the SAP Business Technology Platform (BTP).

How Does the Mini Shai-Hulud Attack Work?

The attack was initiated when a developer installed one of the compromised npm packages, triggering a malicious preinstall script. The malware used several mechanisms to execute its payload and remain persistent.

• Automated Execution: The malware added malicious configuration files like .vscode/tasks.json and .claude/settings.json. These files were configured to automatically execute code when a developer opened the project folder in VS Code or started a Claude Code session.
• Payload Download: The initial script downloaded the Bun JavaScript runtime, which was then used to run a large, obfuscated 11.2 MB JavaScript file (execution.js) with full user privileges. Using Bun instead of Node.js helped bypass some security tools focused on Node.
• Credential Theft: The primary payload scanned the developer’s machine for sensitive credentials, including GitHub tokens, npm tokens, cloud credentials (AWS, Azure, GCP), Kubernetes configurations, and SSH keys.
• Data Exfiltration: Stolen data was encrypted and exfiltrated by creating new public repositories on the victim’s own GitHub account, often with descriptions like “A Mini Shai-Hulud has Appeared”.
• Propagation: In continuous integration (CI) environments, the malware attempted to tamper with release pipelines to exfiltrate npm OIDC credentials and publish more trojanized packages, demonstrating worm-like behavior.

What Are the Recommended Actions?

If you suspect exposure, take immediate and decisive action to contain the threat and secure your environment. Do not open potentially compromised project directories in code editors until they have been verified.

How to Check if Your System is Compromised

You can run a command in your shell (outside of any IDE) to check for the presence of the malicious setup files. The presence of either file indicates a compromised system.

Execute the following command:
ls path/to/cds-dbs/.claude/setup.mjs path/to/cds-dbs/.vscode/setup.mjs 2>/dev/null

If this command returns any file paths, treat the system as compromised and begin incident response procedures.

Remediation and Security Steps

• Isolate and Verify: Identify all developer workstations, build agents, and CI/CD pipelines where the affected npm packages or versions might have been installed.
• Remove or Upgrade: Remove the compromised packages or upgrade them to clean, verified versions.
• Rotate Credentials: Immediately rotate all credentials that may have been exposed. This includes GitHub tokens, npm tokens, cloud service credentials, CI/CD pipeline secrets, and any service account credentials.
• Audit Repositories and Logs:
• Review GitHub repositories for suspicious commits, unexpected workflow changes, or the presence of .vscode/tasks.json and .claude/settings.json files.
• Audit CI/CD logs, npm install activity, GitHub token usage, and cloud access logs around the time of the suspected exposure.

What Does This Attack Mean for Software Supply Chain Security?

The Mini Shai-Hulud campaign is a clear illustration of the growing risks associated with software supply chain attacks in modern SAP development. Instead of directly targeting SAP systems, the attackers targeted the open-source tools and libraries that developers trust.

This incident highlights that risk is not confined to an organization’s custom code but extends to all third-party and open-source dependencies. Malicious code can enter an organization through development tools, libraries, and automated build pipelines, creating an indirect path to sensitive data and systems. It reinforces the critical need for robust governance over open-source dependencies, package sources, CI/CD security, and developer credential management.

In contrast, the Cybersecurity Extension for SAP from Layer Seven Security is developed as a completely closed-source solution, which avoids the risks associated with public package ecosystems and open-source components.

Frequently Asked Questions (FAQ)

What is Mini Shai-Hulud?
Mini Shai-Hulud is a malware campaign that targeted SAP developers through a software supply chain attack. It involved injecting malicious, credential-stealing code into four widely used npm packages related to SAP cloud development.

What was the goal of the Mini Shai-Hulud malware?
The primary goal was to steal sensitive credentials from developers, including GitHub and npm tokens, as well as secrets for cloud platforms like AWS, Azure, and GCP.

Which npm packages were affected by Mini Shai-Hulud?
The compromised packages were @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48).

How do I check if I was affected by this attack?
Run the command ls path/to/cds-dbs/.claude/setup.mjs path/to/cds-dbs/.vscode/setup.mjs 2>/dev/null in a shell. If it returns a file path, your system should be considered compromised, and you must begin incident response, including rotating all credentials.

The post Mini Shai-Hulud: Understanding the SAP Supply Chain Malware appeared first on Layer Seven Security.

For organizations that rely on both SAP and Splunk, integrating SAP security logs with Splunk is an important step toward achieving unified enterprise threat detection for Security Operations Centers (SOC). However, direct integration is challenging due to the complexity of multiple SAP log sources, inconsistent log formats, high raw data volumes, ongoing maintenance demands, increased storage and licensing costs, and limited native enrichment for effective cross-platform threat correlation. As a result of the challenges detailed below, SOC teams often struggle to successfully connect SAP endpoints with Splunk.

Complexity of SAP log sources

SAP systems generate security-relevant events across multiple logs, including the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Change Document Log, and Read Access Log, as well as logs for HANA, BTP, Java, and other solutions. This makes direct integration with Splunk complex, especially across large SAP landscapes.

Lack of standardized log formats

SAP logs differ in format, structure, and storage method. Some logs are file-based, while others are stored in SAP tables. This creates challenges for consistent parsing, normalization, and ingestion into Splunk.

High log volume

Large SAP environments can generate very high volumes of raw log data. Transmitting this data to Splunk can increase network bandwidth usage, storage requirements, and SIEM licensing costs.

Integration maintenance burden

Organizations must maintain multiple integration points between SAP systems and Splunk. This includes managing connectivity, log collection, parsing rules, data retention, and archiving.

Limited enrichment in native SAP logs

Many SAP logs do not include the context needed for effective correlation in Splunk, such as source IP addresses, destination IP addresses, user context, system context, or business process details.

Difficult cross-platform correlation

SOC teams may struggle to correlate SAP activity with non-SAP telemetry from endpoints, networks, cloud platforms, identity systems, and other enterprise security tools.

Scalability challenges in large SAP landscapes

The complexity increases significantly when organizations need to integrate logs from multiple SAP systems, environments, applications, and instances.

Cost control

Sending large volumes of raw SAP log data into Splunk can increase infrastructure, storage, and licensing costs.

Operational noise

Raw SAP logs can contain large amounts of low-priority or repetitive events. Without filtering, normalization, and enrichment, SOC teams may face alert fatigue and reduced detection efficiency.

Reduced investigation efficiency

When SAP logs are incomplete, inconsistent, or difficult to correlate, analysts may need to manually investigate events across multiple SAP tools and Splunk searches, slowing incident response.

A further challenge is the lack of predefined rules in Splunk to detect SAP-specific threats. Splunk may centralize SAP logs, but it does not provide the intelligence required to interpret SAP events in the logs to identify threats. As a result, SOC teams often develop and maintain their own SAP-specific detection rules, despite lacking the specialized SAP security expertise required to do so effectively. This can lead to security blind spots and reduce the ability to successfully detect SAP threats.

These challenges can be addressed by integrating SAP logs with Splunk using the Cybersecurity Extension for SAP (CES). CES provides more than 1,200 out-of-the-box patterns for identifying threats in SAP solutions, enabling SOC teams to monitor SAP logs immediately without investing extensive time and effort in building and maintaining custom detection rules. It delivers the SAP-specific intelligence needed to interpret log activity in Splunk, while monthly updates keep detection content aligned with new threats and vulnerabilities affecting SAP solutions. CES generates and forwards alerts to Splunk in real time, and filters, normalizes, and enriches data before it reaches Splunk. This provides a simpler, faster, and more effective approach for integrating SAP security events with Splunk.

Data can be streamed from CES to Splunk using either the Universal Forwarder or Heavy Forwarder for Splunk. Both are software log collection agents. The Universal Forwarder is a more lightweight agent than the Heavy Forwarder and therefore consumes fewer system resources. The Heavy Forwarder can parse, transform, and even index data locally. However, these functions are not required by CES. The Heavy Forwarder requires higher resources than the Universal Forwarder. As an alternative to the Forwarders, data can be forwarded from CES to Splunk via Syslog (rsyslog). This method may be required if it is not possible to install the Universal Forwarder on the target SAP server.

Once the agent is installed and configured in the host for CES, it will stream data from CES to Splunk. The next step is to create an index in Splunk for CES. An index is a logical storage location where Splunk stores incoming data after it has been ingested and processed. When Splunk receives log or event data, it breaks the data into searchable events and stores them in the target index. Users can query the index to find, analyze, correlate, and report on data.

The final step is to install the Splunk app for the Cybersecurity Extension for SAP. The app is available on Splunkbase. Splunk apps are addons that include predefined data models, configurations, dashboards and reports for specific use-cases. They help to accelerate deployment, reduce operational effort, and improve adoption. The Splunk app for CES is installed as a .tgz package using either the Splunk Web Interface or Command Line Interface (CLI).  Once installed, you can access the app from the Splunk App menu.

The app parses the data from the CES index and provides preconfigured dashboards to analyze and manage results. The results are structured into three domains: Alerts, Vulnerabilities, and Security Notes. Each domain can be analyzed separately. Alerts are based on pattern matches for threat detection rules applied by CES. Rules can be tuned using exclusion rules in CES to reduce noise and false positives. They can be analyzed and filtered based on date, time, system, environment, priority, and other criteria. Vulnerabilities are system and user-related security weaknesses in SAP solutions detected by CES based on daily automated security scans using a library of 3000+ SAP-related checks.  Security notes are relevant, unapplied security patches calculated by CES. The app tracks the implementation status of security notes across SAP systems.

The app enables users to drill down from summary tiles and dashboards into detailed results for alert triage. These detailed results provide the context needed to answer the five Ws of security alerts:

Who
Identifies the user, service account, role, host, IP address, or system involved.

What
Describes the activity that occurred, such as a failed login, privilege change, suspicious command, vulnerable function call, data access, configuration change, or policy violation.

When
Shows when the event occurred, including the date, time, timezone, frequency, and whether the activity took place inside or outside normal operating hours.

Where
Identifies where the event occurred, such as the SAP system, client, application server, database, endpoint, cloud service, network segment, source location, or destination system.

Why
Explains the risk, business impact, and recommended investigation steps.

Status changes for alerts, vulnerabilities, and security notes are synchronized between CES and Splunk, ensuring that Splunk results remain current and reflect updates made by administrators in CES. Results are refreshed at regular intervals to further strengthen synchronization between the two solutions. The refresh rate can be adjusted to meet each organization’s specific requirements.

Integrating SAP logs with Splunk is more than a technical exercise. It is an opportunity to extend enterprise security monitoring to the systems that support an organization’s most critical business processes. By using CES to detect, filter, normalize, enrich, and forward SAP security events to Splunk, organizations can reduce integration complexity, lower operational overhead, and provide SOC teams with the SAP-specific intelligence needed to detect and respond to threats more effectively. The result is a faster, more scalable, and more actionable approach to SAP threat monitoring in Splunk.

The post From SAP Logs to Security Intelligence: Integrating SAP with Splunk appeared first on Layer Seven Security.

The April 2026 SAP Security Patch Day delivered a focused but significant set of updates, led by a critical SQL injection vulnerability. This flaw, covered by Hot News note 3719353, affects SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) and is caused by an insufficient authorization check in a user upload program. The patch resolves the issue by deactivating the executable code. Additionally, a high-risk vulnerability was patched in SAP ERP and S/4HANA via note 3731908, which addresses a missing authorization check that could allow attackers to overwrite ABAP reports. The month’s updates also included several lower-priority notes for missing authorization checks in S/4HANA and patches for Open Redirect, information disclosure, and code injection vulnerabilities across the SAP landscape.

Key Takeaways

• A critical SQL injection vulnerability was patched in SAP BPC and BW (Note 3719353).
• A high-risk authorization flaw in SAP ERP and S/4HANA could lead to report overwrites (Note 3731908).
• Multiple lower-priority notes address missing authorization checks in S/4HANA.
• Patches were also released for Open Redirect, information disclosure, and code injection flaws.
• A temporary workaround for the critical SQL injection is to restrict access to authorization object S_GUI.
  
  

What Are the Most Significant Vulnerabilities for April 2026?

The April 2026 SAP security notes are highlighted by a critical SQL injection vulnerability and a high-risk authorization flaw. The table below summarizes the most important patches released.

What Is the Critical SQL Injection Vulnerability?

Hot News note 3719353 patches a critical SQL injection vulnerability found in SAP Business Planning and Consolidation and SAP Business Warehouse. The issue is caused by an insufficient authorization check for user uploads within a specific ABAP program. The official fix deactivates the executable code in the program, which prevents it from being executed by any user. As a temporary workaround, administrators can restrict access to the authorization object S_GUI with activity 60.

What Other High-Risk Vulnerabilities Were Patched?

Note 3731908 addresses a high-risk missing authorization check in SAP ERP and S/4HANA. This vulnerability could be exploited to overwrite ABAP reports, which would impact their availability. A recommended workaround is to restrict access to the vulnerable programs, RGJVCORG and RGJVCORX, using authorization groups.

In addition, several other lower-priority security notes were released to fix missing authorization checks in S/4HANA, including 3703813, 3715177, 3715097, 3711682, 3530544, and 3716767.

What Other Flaws Were Addressed in April 2026?

SAP also released patches for several other vulnerabilities across its product suite:

• Open Redirect: Note 3692004 fixes an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP that could be used to redirect users to malicious websites.
• Information Disclosure: Note 3680767 addresses a flaw in SAP Human Capital Management (HCM) for S/4HANA that could leak sensitive information. A separate note, 3730639, patches an information disclosure vulnerability in SAP HANA Cockpit and HANA Database Explorer related to mTLS for X.509 Certificates.
• Code Injection: Note 3719397 fixes a code injection vulnerability in the Web Dynpro runtime of SAP NetWeaver Application Server Java, which could be exploited to compromise user sessions.

Frequently Asked Questions (FAQ)

What was the most critical SAP vulnerability for April 2026?
The most critical vulnerability was a SQL injection in SAP Business Planning and Consolidation and SAP Business Warehouse, addressed by Hot News note 3719353. It resulted from insufficient authorization checks for user uploads.

How can the critical SQL injection vulnerability be mitigated without patching?
As a temporary workaround, administrators can restrict user access to the authorization object S_GUI with activity 60 to prevent the vulnerable upload functionality from being used.

Which SAP products were affected by high-risk authorization issues?
SAP ERP and SAP S/4HANA were affected by a high-risk missing authorization check (Note 3731908) that could allow for the overwriting of ABAP reports. Multiple other lower-priority authorization issues were also patched in S/4HANA.

The post SAP Security Notes April 2026: Critical SQL Injection and High-Risk Flaws Patched appeared first on Layer Seven Security.

Moving Fiori applications like the Cybersecurity Extension for SAP from the traditional embedded model to SAP BTP offers significant advantages. While the embedded model simplifies landscapes by keeping frontend and backend components together, it often restricts innovation due to the limitations of older backend systems like ECC. Deploying on SAP BTP decouples the frontend, enabling modern user experiences with Horizon themes, and aligns with SAP’s “clean core” strategy by externalizing customizations. This cloud-based approach also unlocks advanced capabilities from SAP AI Core and the Generative AI Hub, such as intelligent analysis and conversational interfaces. The complete process to deploy the extension on SAP BTP’s Build Work Zone is a 45-minute, three-part procedure covering landscape preparation, CLI-based installation, and final Work Zone configuration.

Key Takeaways

• Deploy on SAP BTP to overcome the limitations of the traditional embedded model.
• BTP enables modern user experiences, a “clean core” strategy, and AI integration.
• The extension is deployed as a .mtar file using the Cloud Foundry CLI.
• The process involves three stages: Prepare, Install, and Configure.
• Total deployment and configuration time is approximately 45 minutes.

Why Deploy on SAP BTP Instead of the Embedded Model?

The first sentence of each paragraph should directly answer the question. The Cybersecurity Extension for SAP provides an SAP Fiori user experience that is usually deployed using the embedded Fiori model, which combines backend and frontend components in the same system. This model reduces landscape complexity, removes external communication for service calls, and can improve response times and stability. Operationally, the embedded model typically means fewer systems to maintain, monitor, and secure, and it simplifies lifecycle management.

However, the downside of the embedded model is that frontend applications are constrained by the limitations of backend systems. This can hold back innovation and the adoption of new capabilities in SAP Fiori applications. For example, the use of Horizon themes for a more unified user experience is only possible with higher versions of SAPUI5, which solutions like ECC cannot support with the embedded model.

SAP BTP overcomes these limitations by providing a separate cloud-based platform for Fiori applications. This supports user experience improvements and aligns with SAP’s strategy for a clean core by moving customizations to cloud extensions, leading to more stable SAP environments that are easier to maintain and upgrade. Deploying Fiori applications to SAP BTP also enables organizations to benefit from services available in SAP AI Core and Generative AI Hub for AI-driven analysis, predictive capabilities, and intelligent workflows.

Embedded Model vs. SAP BTP Deployment for Fiori Apps

This table compares the traditional embedded approach with deploying on the SAP BTP cloud platform.

What are the prerequisites for the SAP BTP landscape?

Before installing the extension, you must prepare your SAP BTP landscape, a process that takes about 45 minutes. Start by creating or confirming the subaccount in the SAP BTP Cockpit. Once the subaccount is created, complete the mandatory configuration.

• Verify Cloud Connector: Ensure the Cloud Connector is properly attached to the subaccount and its connection status is “established”.
• Confirm Destination: Confirm a destination named backend is present. Principal Propagation is the recommended authentication method for a trusted setup.
• Provision Cloud Foundry: Ensure your Cloud Foundry environment is provisioned. Create the instance and at least one space for deployments.
• Validate Entitlements: At the global account level, assign the SAP Build Work Zone entitlement to the target subaccount and confirm an active subscription.
• Assign Admin Roles: Assign the required admin role, such as the Launchpad_Admin role collection, to the operator who will configure the launchpad.

How do you install the extension using the Cloud Foundry CLI?

The Cybersecurity Extension for SAP is deployed as a .mtar archive via the Cloud Foundry command-line interface (CLI). First, install the SAP (Cloud Foundry) CLI on your workstation and add the HTML5 applications repository plugin.

Next, move the provided .mtar file into a working folder and open a command line in that directory. Log in to your Cloud Foundry organization and space by running cf login and following the prompts. Once the session is established, deploy the archive using the command cf deploy.

When the deployment completes, you can confirm the HTML5 apps were created by running cf html5-list. You can also verify the deployment visually by navigating to the HTML5 Applications area within your subaccount in the SAP BTP Cockpit.

How do you configure SAP Build Work Zone for the extension?

After installation, you must configure the SAP Build Work Zone site and user access. In your subaccount, open the SAP Build Work Zone subscription and launch the application. If no site exists, create one from the Work Zone entry point.

• Update Content Channel: In the Channel Manager, update the default content channel (HTML5).
• Import Content: The fastest path is to use the Content Manager to import the provided L7S content .zip file. After the import, you should see a bundle of objects including apps, a group, a page, a space, a role, and a catalog.
• Assign User Access: In the subaccount, assign the L7S role collection to the intended business users. Then, in the Work Zone Site Directory, confirm the site’s role assignment includes this role. Enabling multifactor authentication (MFA) for users via SAP Cloud Identity Services is highly recommended.

Once configured, log on to the site with a user who has the L7S role. The Cybersecurity Extension for SAP tile will be available in the launchpad.

Clicking the tile launches the application’s home screen.

Frequently Asked Questions (FAQ)

What is the embedded Fiori deployment model?
The embedded model is an architecture where SAP Fiori frontend components and the backend business logic reside on the same system. This approach simplifies the system landscape and reduces operational overhead but can limit the adoption of modern frontend technologies and innovations.

How long does it take to deploy the Cybersecurity Extension to SAP BTP?
The entire process, which includes preparing the BTP landscape, installing the extension via the CLI, and configuring the SAP Build Work Zone, typically takes around 45 minutes to complete for an experienced administrator.

What is a “clean core” in the context of SAP?
A “clean core” is an SAP strategy that advocates for keeping the core ERP system as standard and free of customizations as possible. Instead, custom developments and extensions are built on cloud platforms like SAP BTP, which makes the core system more stable and easier to upgrade.

What command is used to deploy the Cybersecurity Extension?
The extension is packaged as a .mtar file and is deployed to the SAP BTP Cloud Foundry environment using the cf deploy command from the SAP (Cloud Foundry) CLI.

The post How to Deploy the Cybersecurity Extension for SAP on SAP Build Work Zone appeared first on Layer Seven Security.

Layer Seven Security has successfully achieved certification under the CyberSecure Canada program, validating its strong cybersecurity posture and the application of recognized baseline security controls. This certification provides customers, especially those who rely on SAP systems, with independent assurance that Layer Seven Security operates within a structured and nationally recognized cybersecurity framework.

This certification reinforces Layer Seven Security’s commitment to maintaining robust internal security governance and operational safeguards. The CyberSecure Canada program was established by Innovation, Science and Economic Development (ISED) Canada and is based on controls developed by the Canadian Centre for Cyber Security. For organizations that depend on Layer Seven Security for SAP cybersecurity, this certification supports supply chain assurance, operational resilience, and simplifies vendor due diligence, third-party risk assessment, and procurement requirements. It provides customers with confidence in Layer Seven Security as a trusted, independently validated cybersecurity partner.

Key Takeaways

• Layer Seven Security is now certified under the Government of Canada’s CyberSecure program.
• The certification validates the company’s cybersecurity framework and controls.
• It provides special assurance for customers using SAP business-critical systems.
• Certification aids in vendor due diligence and third-party risk assessment.
• It demonstrates a commitment to reducing cyber risk and enhancing resilience.

What is the CyberSecure Canada Certification?

The CyberSecure Canada certification is a national program established by Innovation, Science and Economic Development (ISED) Canada to improve information security across the country. The program is based on a set of baseline cybersecurity controls developed by the Canadian Centre for Cyber Security, Canada’s authority on the subject. It is designed to provide organizations with a clear framework to protect against common cyber threats and demonstrate their commitment to security.

What Does This Certification Mean for SAP Customers?

For customers that rely on SAP systems to support business-critical processes, the certification provides independent validation that Layer Seven Security operates within a structured cybersecurity framework. It demonstrates that the company maintains robust internal security governance and operational safeguards. This government-backed national certification provides tangible assurance for vendor due diligence, third-party risk assessment, and procurement requirements, giving SAP customers confidence in Layer Seven Security as a trusted partner.

Which Security Controls Does the Certification Cover?

The certification addresses key threat scenarios and organizational cyber risk through practical and measurable safeguards. The control areas are designed to establish a foundational security baseline to reduce the likelihood and impact of compromise, service disruption, and data loss. These controls include:

• Incident response and recovery
• Automated patching
• Endpoint protection
• Secure configuration of devices and systems
• Identity and access management
• Multi-factor authentication
• Employee cybersecurity awareness
• Backup protection and encryption
• Perimeter defence
• Mobile device protection
• Secure use of cloud and outsourced IT services

Frequently Asked Questions (FAQ)

What is the CyberSecure Canada program?
CyberSecure Canada is a national cybersecurity certification program from the Government of Canada designed to help organizations improve their security posture by implementing a baseline of defined controls.

Why is this certification important for Layer Seven Security’s customers?
It provides independent, government-backed validation of Layer Seven Security’s internal security framework, which is crucial for vendor due diligence, third-party risk assessment, and procurement, especially for clients relying on SAP systems.

Who developed the security controls for the CyberSecure program?
The cybersecurity controls are developed from guidance published by the Canadian Centre for Cyber Security, which is part of the Communications Security Establishment.

The post Layer Seven Security Achieves CyberSecure Canada Certification appeared first on Layer Seven Security.

This advisory from Layer Seven Security summarizes the key patches released on March 10, 2026. The most critical vulnerabilities involve a Log4j issue in SAP Quotation Management Insurance, insecure deserialization in SAP NetWeaver, and a DoS risk in SAP SCM. These notes highlight the ongoing need for organizations to prioritize timely patching to secure their SAP landscapes from significant operational and security risks.

Key Takeaways for March 2026

• Critical Log4j Flaw: A command injection vulnerability in Apache Log4j bundled with SAP Quotation Management Insurance was patched under Hot News note 3698553.
• NetWeaver RCE: Hot News note 3714585 addresses a critical insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal that could allow remote code execution.
• High-Risk DoS: Note 3719502 patches a high-risk Denial of Service vulnerability in SAP Supply Chain Management.
• Total Patches: SAP released 14 security notes, including two Hot News, one high-priority, and 11 medium-priority issues.

What Are the Critical Vulnerabilities for March 2026?

SAP released two “Hot News” notes, reserved for the most critical vulnerabilities requiring immediate attention.

The first, note 3698553, patches a critical command injection vulnerability in Apache Log4j as bundled in SAP Quotation Management Insurance. The fix requires updating the package assembly for the FS-QUO-scheduler module to a secure version. As a temporary workaround, the log4j-1.2.17.jar file can be deleted from the {FS-QUO-scheduler}/lib directory.

The second, note 3714585, addresses an insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration. This flaw could lead to malicious remote code execution through the upload of user-supplied content. The patch, which is only available for NetWeaver AS Java 7.50, validates input before processing to secure the deserialization logic. For older, unmaintained versions, SAP refers to note 3660659 for security hardening guidance. Access to roles like superadminrole, systemadminrole, and contentadminrole should also be restricted.

What Was the High-Risk Vulnerability Patched?

Note 3719502 was released to patch a high-risk Denial of Service (DoS) vulnerability in SAP Supply Chain Management. The patch applies input validation for calls to a specific vulnerable Remote Function Module (RFM) to prevent excessive resource consumption that could render the system unavailable. The Cybersecurity Extension for SAP provides monitoring for calls to this vulnerable RFM.

What Other Vulnerabilities Were Addressed?

The remaining 11 security notes address medium-priority issues across various SAP products. This includes vulnerabilities in SAP NetWeaver AS ABAP, such as Server-Side Request Forgery (SSRF) and missing authorization checks, covered in notes 3689080, 3704740, and 3703856.

Frequently Asked Questions (FAQ)

Q: How many SAP security notes were released in March 2026?
A: SAP released 14 new security notes in March 2026, including two critical “Hot News” notes, one high-priority note, and 11 medium-priority notes.

Q: What was the most critical vulnerability patched in March 2026?
A: The most critical vulnerability was a command injection flaw in Apache Log4j bundled with SAP Quotation Management Insurance, addressed by Hot News note 3698553. This vulnerability allows for remote code execution.

Q: Is there a patch for the NetWeaver RCE vulnerability on older versions?
A: No, the direct patch for the insecure deserialization vulnerability (note 3714585) is only available for NetWeaver AS Java 7.50. For earlier versions, customers must apply security hardening measures as detailed in SAP note 3660659.

The post SAP Security Notes March 2026: Critical Log4j and RCE Flaws Patched appeared first on Layer Seven Security.

State-sponsored cyber attacks are a rapidly increasing threat to SAP solutions, driven by rising geopolitical tensions. Attackers target mission-critical SAP systems for espionage and sabotage, exploiting their wide attack surface and slow enterprise patching cycles. Defending these vital systems requires specialized vulnerability management, real-time threat detection, and a focused effort to harden specific SAP configurations against sophisticated adversaries.

Amid a tense global landscape, recent threat intelligence reports paint a stark picture of escalating state-sponsored cyber operations. According to the 2025 State of Information Security Report, 88% of security leaders are concerned about this threat. Data from CrowdStrike’s 2025 Global Threat Report shows a 150% increase in China-nexus threat activity, while their 2026 report noted a 266% surge in state-nexus intrusions in cloud environments. Similarly, Microsoft’s 2025 Digital Defense Report identified a 25% year-over-year increase in Russian operations against NATO-aligned countries. This heightened activity makes SAP environments, which house an organization’s most valuable data and processes, a primary target for espionage and disruption. Effective defense hinges on moving beyond generic security and adopting SAP-specific tools and practices to manage vulnerabilities and monitor for threats continuously.

Key Takeaways

• State-sponsored cyber attacks are increasing, with significant growth in activity attributed to China, Russia, and Iran.
• SAP systems are prime targets for espionage and sabotage due to their critical role and the high-value data they process.
• Threat actors exploit SAP vulnerabilities within 72 hours of disclosure, far outpacing typical enterprise patching cycles.
• Attackers often abuse legitimate SAP functions like RFC communications, service accounts, and transport processes to remain undetected.
• Effective defense requires SAP-specific tools for continuous vulnerability management and real-time threat detection.

What Evidence Shows an Increase in State-Sponsored Cyber Attacks?

Multiple leading cybersecurity reports confirm a dramatic rise in state-sponsored threat activity. Concerns are widespread, with the 2025 State of Information Security Report finding that 88% of cybersecurity leaders are worried about nation-state attacks.

Recent intelligence provides specific figures:

• China: CrowdStrike’s 2025 Global Threat Report detailed a 150% increase in China-nexus threat activity across sectors, with seven new adversary groups identified.
• Russia: The 2025 Digital Defense Report from Microsoft reported a 25% year-over-year increase in Russian state-linked cyber operations targeting NATO-aligned countries, focusing on government, IT, and research sectors.
• Iran: Mandiant’s 2025 M-Trends Report identified a 35% increase in malware attributed to Iran-nexus actors.
• Cloud Environments: The CrowdStrike 2026 Global Threat Report found a 266% increase in intrusions by state-nexus actors in cloud environments.

A 2026 report from the Google Threat Intelligence Group also highlighted that these actors are targeting not just IT infrastructure but also personally-identifiable information to compromise key individuals.

Why Are SAP Environments a Primary Target for Nation-States?

SAP environments are disproportionately affected by nation-state cyber activity because they are the operational core of an organization. These systems support mission-critical processes, store vast amounts of high-value data, and provide privileged integration paths to other critical solutions. Compromising an SAP system allows state-sponsored actors to perform espionage by exfiltrating sensitive data or conduct sabotage by disrupting the availability of essential resources. Furthermore, a breached SAP system can serve as a pivot point to attack connected systems and compromise both internal and external supply chains.

What Factors Amplify the Risk to SAP Solutions?

The risks to SAP solutions are amplified by a combination of their inherent complexity and common security management challenges. A primary factor is the wide attack surface, which includes APIs, cross-platform dependencies (database, OS), middleware, and integrations with identity providers.

This risk is compounded by two critical issues:

• Volume of Vulnerabilities: The constant discovery of new vulnerabilities in SAP solutions presents an ongoing challenge.
• Speed of Exploitation vs. Patching: Research from 2025 showed that threat actors exploit SAP vulnerabilities within 72 hours of public disclosure. In contrast, the average time for organizations to apply security patches is measured in weeks or months. This gap creates a significant window of opportunity for attackers. The 2026 CrowdStrike Global Threat Report noted that 42% of vulnerabilities are exploited even before public disclosure.

What Attack Methods Do State-Sponsored Actors Use Against SAP?

Nation-state actors often prefer attack methods that blend in with legitimate administrative behavior, making them difficult to detect. In SAP landscapes, this involves the abuse of standard system functions and processes.

Commonly abused access paths include:

• Trusted communications (RFC)
• Change management and system administration
• Batch/background jobs
• Transport processes
• Service accounts
• Remote support channels

How Can Organizations Harden SAP Systems Against These Threats?

To counter these tactics, it is critical to identify and address specific technical vulnerabilities within the SAP landscape. Hardening efforts should focus on restricting the functions that attackers commonly abuse. The following table outlines key attack vectors and corresponding hardening recommendations.

How Can Organizations Detect Malicious Activity in SAP?

Effective detection requires integrating SAP telemetry with security data from other endpoints, such as firewalls and identity systems. This correlation helps security teams distinguish between normal SAP events and malicious actions. Anomaly-based monitoring is also highly recommended to detect unusual system and user events that could indicate a compromise.

How Does the Cybersecurity Extension for SAP (CES) Help?

The Cybersecurity Extension for SAP (CES) is a specialized solution that enables organizations to detect and respond to state-sponsored threats in real time. It combines continuous vulnerability management with advanced threat detection tailored for SAP landscapes (on-premise, cloud, and hybrid). CES provides security teams with deeper context than generic tools by monitoring a broad set of SAP-specific telemetry, including application and infrastructure logs.

A key advantage of CES is its ability to reduce the attack surface. It performs scheduled scans for thousands of SAP vulnerabilities and misconfigurations, detects users with excessive privileges, and provides actionable remediation guidance. CES also identifies missing patches for vulnerabilities listed in the CISA KEV catalog.

For threat detection, CES uses both pattern matching and anomaly detection to identify indicators of compromise. Alerts are integrated with enterprise SIEM platforms, enabling SOC teams to correlate SAP activity with events across the entire network for a unified defense.

Frequently Asked Questions (FAQ)

Q: How quickly are SAP vulnerabilities being exploited?
A: Research from 2025 indicates that threat actors are exploiting newly disclosed SAP security vulnerabilities within 72 hours. This rapid exploitation far outpaces typical enterprise patching timelines, which are often measured in weeks or months, creating a significant window of risk.

Q: What kind of data are state-sponsored actors targeting?
A: State-sponsored actors target mission-critical business data for espionage and sabotage. Additionally, a 2026 Google Threat Intelligence Group report highlighted that they also target personally-identifiable information (PII), which can be used to compromise specific individuals within an organization.

Q: Why are generic security tools not enough for SAP?
A: Generic security tools typically focus on network and host-level activity and lack deep context into SAP’s specific architecture. SAP-specific solutions like the Cybersecurity Extension for SAP monitor a broader set of telemetry, including application logs, to identify vulnerabilities, misconfigurations, and indicators of compromise that are unique to the SAP environment.

The post State-Sponsored Cyber Attacks on SAP: A Guide to Threats and Defenses appeared first on Layer Seven Security.