For organizations that rely on both SAP and Splunk, integrating SAP security logs with Splunk is an important step toward achieving unified enterprise threat detection for Security Operations Centers (SOC). However, direct integration is challenging due to the complexity of multiple SAP log sources, inconsistent log formats, high raw data volumes, ongoing maintenance demands, increased storage and licensing costs, and limited native enrichment for effective cross-platform threat correlation. As a result of the challenges detailed below, SOC teams often struggle to successfully connect SAP endpoints with Splunk.

Complexity of SAP log sources

SAP systems generate security-relevant events across multiple logs, including the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Change Document Log, and Read Access Log, as well as logs for HANA, BTP, Java, and other solutions. This makes direct integration with Splunk complex, especially across large SAP landscapes.

Lack of standardized log formats

SAP logs differ in format, structure, and storage method. Some logs are file-based, while others are stored in SAP tables. This creates challenges for consistent parsing, normalization, and ingestion into Splunk.

High log volume

Large SAP environments can generate very high volumes of raw log data. Transmitting this data to Splunk can increase network bandwidth usage, storage requirements, and SIEM licensing costs.

Integration maintenance burden

Organizations must maintain multiple integration points between SAP systems and Splunk. This includes managing connectivity, log collection, parsing rules, data retention, and archiving.

Limited enrichment in native SAP logs

Many SAP logs do not include the context needed for effective correlation in Splunk, such as source IP addresses, destination IP addresses, user context, system context, or business process details.

Difficult cross-platform correlation

SOC teams may struggle to correlate SAP activity with non-SAP telemetry from endpoints, networks, cloud platforms, identity systems, and other enterprise security tools.

Scalability challenges in large SAP landscapes

The complexity increases significantly when organizations need to integrate logs from multiple SAP systems, environments, applications, and instances.

Cost control

Sending large volumes of raw SAP log data into Splunk can increase infrastructure, storage, and licensing costs.

Operational noise

Raw SAP logs can contain large amounts of low-priority or repetitive events. Without filtering, normalization, and enrichment, SOC teams may face alert fatigue and reduced detection efficiency.

Reduced investigation efficiency

When SAP logs are incomplete, inconsistent, or difficult to correlate, analysts may need to manually investigate events across multiple SAP tools and Splunk searches, slowing incident response.

A further challenge is the lack of predefined rules in Splunk to detect SAP-specific threats. Splunk may centralize SAP logs, but it does not provide the intelligence required to interpret SAP events in the logs to identify threats. As a result, SOC teams often develop and maintain their own SAP-specific detection rules, despite lacking the specialized SAP security expertise required to do so effectively. This can lead to security blind spots and reduce the ability to successfully detect SAP threats.

These challenges can be addressed by integrating SAP logs with Splunk using the Cybersecurity Extension for SAP (CES). CES provides more than 1,200 out-of-the-box patterns for identifying threats in SAP solutions, enabling SOC teams to monitor SAP logs immediately without investing extensive time and effort in building and maintaining custom detection rules. It delivers the SAP-specific intelligence needed to interpret log activity in Splunk, while monthly updates keep detection content aligned with new threats and vulnerabilities affecting SAP solutions. CES generates and forwards alerts to Splunk in real time, and filters, normalizes, and enriches data before it reaches Splunk. This provides a simpler, faster, and more effective approach for integrating SAP security events with Splunk.

Data can be streamed from CES to Splunk using either the Universal Forwarder or Heavy Forwarder for Splunk. Both are software log collection agents. The Universal Forwarder is a more lightweight agent than the Heavy Forwarder and therefore consumes fewer system resources. The Heavy Forwarder can parse, transform, and even index data locally. However, these functions are not required by CES. The Heavy Forwarder requires higher resources than the Universal Forwarder. As an alternative to the Forwarders, data can be forwarded from CES to Splunk via Syslog (rsyslog). This method may be required if it is not possible to install the Universal Forwarder on the target SAP server.

Once the agent is installed and configured in the host for CES, it will stream data from CES to Splunk. The next step is to create an index in Splunk for CES. An index is a logical storage location where Splunk stores incoming data after it has been ingested and processed. When Splunk receives log or event data, it breaks the data into searchable events and stores them in the target index. Users can query the index to find, analyze, correlate, and report on data.

The final step is to install the Splunk app for the Cybersecurity Extension for SAP. Splunk apps are addons that include predefined data models, configurations, dashboards and reports for specific use-cases. They help to accelerate deployment, reduce operational effort, and improve adoption. The Splunk app for CES is installed as a .tgz package using either the Splunk Web Interface or Command Line Interface (CLI).  Once installed, you can access the app from the Splunk App menu.

The app parses the data from the CES index and provides preconfigured dashboards to analyze and manage results. The results are structured into three domains: Alerts, Vulnerabilities, and Security Notes. Each domain can be analyzed separately. Alerts are based on pattern matches for threat detection rules applied by CES. Rules can be tuned using exclusion rules in CES to reduce noise and false positives. They can be analyzed and filtered based on date, time, system, environment, priority, and other criteria. Vulnerabilities are system and user-related security weaknesses in SAP solutions detected by CES based on daily automated security scans using a library of 3000+ SAP-related checks.  Security notes are relevant, unapplied security patches calculated by CES. The app tracks the implementation status of security notes across SAP systems.

The app enables users to drill down from summary tiles and dashboards into detailed results for alert triage. These detailed results provide the context needed to answer the five Ws of security alerts:

Who
Identifies the user, service account, role, host, IP address, or system involved.

What
Describes the activity that occurred, such as a failed login, privilege change, suspicious command, vulnerable function call, data access, configuration change, or policy violation.

When
Shows when the event occurred, including the date, time, timezone, frequency, and whether the activity took place inside or outside normal operating hours.

Where
Identifies where the event occurred, such as the SAP system, client, application server, database, endpoint, cloud service, network segment, source location, or destination system.

Why
Explains the risk, business impact, and recommended investigation steps.

Status changes for alerts, vulnerabilities, and security notes are synchronized between CES and Splunk, ensuring that Splunk results remain current and reflect updates made by administrators in CES. Results are refreshed at regular intervals to further strengthen synchronization between the two solutions. The refresh rate can be adjusted to meet each organization’s specific requirements.

Integrating SAP logs with Splunk is more than a technical exercise. It is an opportunity to extend enterprise security monitoring to the systems that support an organization’s most critical business processes. By using CES to detect, filter, normalize, enrich, and forward SAP security events to Splunk, organizations can reduce integration complexity, lower operational overhead, and provide SOC teams with the SAP-specific intelligence needed to detect and respond to threats more effectively. The result is a faster, more scalable, and more actionable approach to SAP threat monitoring in Splunk.

The post From SAP Logs to Security Intelligence: Integrating SAP with Splunk appeared first on Layer Seven Security.

Note 3731908 addresses a high-risk missing authorization check in SAP ERP and S/4HANA. The vulnerability can be exploited to overwrite ABAP reports and impact the availability of the reports. Access to the vulnerable programs RGJVCORG and RGJVCORX can be restricted using authorization groups as a workaround.

Missing authorization checks in S/4HANA are also addressed by several lower priority security notes released in April including 3703813, 3715177,  3715097, 3711682, 3530544 and 3716767.

Note 3692004 provides a fix for an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP. The vulnerability can be exploited by attackers to redirect users to web pages through malicious URLs.

Note 3680767 addresses an information disclosure vulnerability in SAP Human Capital Management (HCM) for SAP S/4HANA that could lead to the leakage of sensitive information.

Note 3730639 patches an information disclosure vulnerability in SAP HANA Cockpit and HANA Database Explorer that could lead to the compromise of the mutual SSL/TLS (mTLS) for X.509 Certificates.

Note 3719397 fixes a code injection vulnerability impacting the Web Dynpro runtime in SAP NetWeaver Application Server Java. The vulnerability can be exploited to compromise user sessions and execute arbitrary client-side code.

The post SAP Security Notes, April 2026 appeared first on Layer Seven Security.

The downside of the embedded model is that frontend applications are constrained by the limitations of backend systems. This can hold back innovation and the adoption of new capabilities in SAP Fiori applications. For example, the use of Horizon themes in SAP Fiori for a more consistent, unified user experience aligned with SAP cloud services is only possible with higher versions of SAPUI5. Solutions such as ECC cannot support Horizon themes with the embedded model.

SAP BTP overcomes the limitations of the embedded model by providing a separate cloud-based platform for Fiori applications that is not constrained by backend SAP systems. This not only supports improvements for the user experience, it also aligns with SAP’s strategy for a clean core by moving customizations from SAP systems to cloud extensions. A clean core leads to more stable SAP environments that are easier to maintain and upgrade.

Deploying Fiori applications to SAP BTP also enables organizations to benefit from services available in SAP AI Core and Generative AI Hub for AI-driven analysis, predictive capabilities, and workflows. This includes capabilities such as intelligent summaries, faster identification of unusual activity, personalized recommendations, and more intuitive, conversational user experiences.

In addition to the ability to deploy directly to SAP systems using the embedded approach, the Cybersecurity Extension for SAP can now also be deployed to SAP Build Work Zone running in the SAP BTP Cloud Foundry environment. The steps are summarized below and typically take around 45 minutes to perform.

Preparation

Prepare your SAP BTP landscape. Start by creating or confirming the subaccount in SAP BTP Cockpit. In the global account, choose Create, provide an account name, select the appropriate region, and finalize creation. Once the subaccount is created, complete the mandatory configuration. First, verify the Cloud Connector connection is properly attached to the subaccount and the connection status shows as established. Next, confirm a destination named backend is present.  Principal Propagation is recommended as the authentication method for a trusted setup between ABAP systems and SAP BTP. Then, ensure your Cloud Foundry environment is provisioned. Create the Cloud Foundry instance (if needed) and create at least one space for deployments. Finally, validate entitlements and subscriptions for SAP Build Work Zone. At the global account level, assign the Work Zone entitlement to the target subaccount, then create (or confirm) an active subscription. As a last prep step, assign the required admin role to the operator who will configure the launchpad. For example, the Launchpad_Admin role collection.

Installation

The Cybersecurity Extension for SAP is delivered as an .mtar archive and is deployed via Cloud Foundry, so your workstation needs the right tools. Install the SAP (Cloud Foundry) CLI, then add the HTML5 applications repository plugin.

Deploy the package to the subaccount. Move the provided .mtar file into a working folder and open a command line in that directory. Log in to the correct Cloud Foundry org/space using cf login, following the prompts for credentials and selecting the target space. With the session established, deploy the archive using cf deploy. When deployment completes, confirm the HTML5 apps were created by running cf html5-list. For a second confirmation path, open SAP BTP Cockpit, navigate into the subaccount, and check the HTML5 Applications area to see the deployed artifacts reflected in the UI.

Configuration

In the subaccount, open the SAP Build Work Zone subscription and launch the application. If no site exists yet, create one from the Work Zone entry point. Then update the default content channel (HTML5) in Channel Manager. Next, bring in the solution content. The fastest path is importing the provided L7S content .zip via Content Manager. After the import, you should see the required bundle of objects (apps, plus a group, page, space, role, and catalog).

Assign access for required users. Back in the subaccount, assign the L7S role collection to the intended business users. Then, in the Work Zone Site Directory, confirm the site’s role assignment includes the expected role. Open the site and logon with a user who has the L7S role. Enabling multifactor authentication (MFA) for BTP users is recommended. This can be performed using SAP Cloud Identity Services. The Cybersecurity Extension for SAP will be available in the launchpad once you logon. See below.

Click on the tile for the Cybersecurity Extension for SAP to launch the application and access the home screen below.

The post Now on SAP BTP: Access the Cybersecurity Extension for SAP on SAP Build Work Zone appeared first on Layer Seven Security.

Layer Seven Security has successfully achieved certification under the CyberSecure Canada program, reinforcing the company’s commitment to maintaining a strong cybersecurity posture and applying recognized baseline security controls across its operations. For customers that rely on SAP systems to support business-critical processes, the certification provides independent validation that Layer Seven Security operates within a structured cybersecurity framework aligned with a recognized assurance program.

CyberSecure was established by Innovation, Science and Economic Development (ISED) Canada as a national cybersecurity certification program intended to improve information security through the implementation of defined baseline controls. The program is based on cybersecurity controls developed from guidance published by the Canadian Centre for Cyber Security.

The controls are designed to address threat scenarios and organizational cyber risk through practical and measurable safeguards. The control areas include incident response and recovery, automated patching, endpoint protection, secure configuration of devices and systems, identity and access management, multi-factor authentication, employee cybersecurity awareness, backup protection, encryption, perimeter defence, mobile device protection, and the secure use of cloud services and outsourced information technology services. The controls establish a foundational security baseline intended to reduce the likelihood and impact of compromise, service disruption, data loss, and unauthorized access.

For SAP customers, the certification demonstrates that Layer Seven Security maintains robust internal security governance and operational safeguards. Certification under a government-backed national program provides assurance for vendor due diligence, third-party risk assessment, and procurement requirements.

For organizations that rely on Layer Seven Security to support SAP cybersecurity monitoring, compliance automation, and threat detection, the certification supports supply chain assurance and operational resilience. Certification provides customers with confidence in Layer Seven Security as a trusted cybersecurity partner operating within an independently validated control framework.

The post Layer Seven Security Achieves CyberSecure Certification appeared first on Layer Seven Security.

Hot news note 3714585 addresses an insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration. The vulnerability can lead to malicious remote code execution through the upload of user-supplied content. The fix in the note validates input before processing to secure deserialization logic. The fix is only available for NetWeaver AS Java 7.50. For earlier versions that are no longer maintained by SAP, please refer to note 3660659 – Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java. You can also restrict access to privileges that provide access to the vulnerable endpoint. This includes the UME group Administrators, UME role Administrator, and Portal roles super_admin_role, system_admin_role, and content_admin_role.

Note 3719502 patches a high-risk Denial of Service (DoS) vulnerability in SAP Supply Chain Management. The note applies input validation for calls to a specific vulnerable RFM to prevent excessive resource consumption. Calls to the vulnerable RFM are monitored by the Cybersecurity Extension for SAP.

The remaining 11 security notes released impact medium priority issues in various SAP products. This includes SSRF and missing authorization check vulnerabilities in SAP NetWeaver AS ABAP (notes 3689080,  3704740, and 3703856).

The post SAP Security Notes, March 2026 appeared first on Layer Seven Security.

State-sponsored cyber attacks are an increasing threat to organizations amid rising geopolitical tensions. According to the 2025 State of Information Security Report, 88% of cybersecurity and information security leaders express concern over state-sponsored cyber attacks. The concerns are driven by recent dramatic increases in the volume of threat activity attributed to state sponsored threat actors.

According to the CrowdStrike 2025 Global Threat Report, China-nexus threat activity increased by 150% across sectors, with 200–300% increases in key industries including financial services, media, manufacturing, and engineering. CrowdStrike also identified seven new China-nexus adversaries, indicating broader and more specialized operations. The 2026 Global Threat Report reported a 266% increase in intrusions by state-nexus threat actors in cloud environments.

The 2025 Digital Defense Report from Microsoft identified a significant escalation in Russian state-linked cyber operations directed at NATO-aligned countries, reporting a 25% year-over-year increase in activity. The report indicates that Russian threat actors are prioritizing sectors with high intelligence and geopolitical value, including government, research and academia, and IT, reflecting a sustained effort to collect intelligence, shape decision-making, and support hybrid warfare objectives.

The 2025 M-Trends Report from Mandiant identified a 35% increase in malware attributed to Iran-nexus threat actors and 45 new malware strands attributed primarily to state-sponsored actors.

A 2026 report by the Google Threat Intelligence Group highlighted that nation state actors are not just targeting IT infrastructure within critical sectors, but often personally-identifiable information that can provide a pathway to targeting individuals.

The increase in nation-state cyber activity disproportionately impacts SAP environments that support mission-critical processes, store and process high-value data, and offer privileged integration paths to other critical solutions. Compromising SAP systems can enable state sponsored threat actors to perform espionage by accessing and exfiltrating sensitive data, and sabotage by interrupting the availability of critical resources. Breaches can also be used to pivot to connected systems and compromise internal and external supply chains.

The risks are amplified by the wide attack surface of many SAP solutions. This includes Application Programming Interfaces (APIs) that extend beyond internal network boundaries, cross-platform dependencies including database and OS platforms and middleware such as connectors, integration with federated identity providers, and internal trust relationships.

The risks are also increased by the volume of vulnerabilities in SAP solutions and challenges in patching SAP environments to address the root causes of vulnerabilities. According to the 2026 CrowdStrike Global Threat Report, 42% of vulnerabilities are exploited before public disclosure. Research released in 2025 indicated that threat actors are exploiting SAP security vulnerabilities within 72 hours of disclosure. The average time to apply security notes to patch SAP vulnerabilities in organizations is typically measured in weeks and months, rather than hours and days.

Nation-state actors often prefer access paths that blend into legitimate administrative behavior. In SAP landscapes, this can mean abuse of:

• Trusted communications
• Change management and system administration
• Batch/background jobs
• Transport processes
• Service accounts
• Remote support channels

Therefore, it is critical to identify and address:

• Weakly governed RFC destinations, including over-privileged service users
• Insecure, unencrypted RFC and web-based communications
• Poorly restricted gateway registrations and access control for external program starts
• Over-exposed ICF services
• Unnecessary trusted system relationships
• Excessive administrative privileges including broad RFC authorizations

In order to support detection, SAP telemetry should be integrated and correlated with telemetry from other endpoints to distinguish between normal SAP events and malicious actions. Also, anomaly-based monitoring is recommended to detect unusual system and user events.

The Cybersecurity Extension for SAP (CES) enables organizations to detect and respond to state-sponsored cyber threats in real time by combining continuous vulnerability management and threat detection for SAP solutions. CES is designed specifically for SAP landscapes (on-premise, cloud, and hybrid) and delivers real-time security intelligence to identify vulnerabilities and indicators of compromise in SAP applications and infrastructure. It monitors a broad set of SAP telemetry sources including SAP and infrastructure logs, providing security teams with deeper context than generic non-SAP specific tools that focus on network and host-level activity.

A key advantage for defending against advanced threats is the solution’s ability to reduce the attack surface to prevent exploitation. It performs scheduled scans for thousands of SAP vulnerabilities and misconfigurations, detects users with administrative privileges, and provides practical remediation guidance and workarounds to harden systems. CES also detects required SAP security notes including patches for Known Exploited Vulnerabilities for SAP in the CISA KEV catalog.

CES uses both pattern matching and anomaly detection to detect indicators of compromise in SAP solutions. Alerts for security incidents are integrated with enterprise SIEM platforms for cross-network analysis and correlation, enabling SOC teams to connect SAP activity with events from firewalls, endpoints, identity systems, and other infrastructure.

The post State-Sponsored Cyber Attacks: An Increasing Threat to SAP Solutions appeared first on Layer Seven Security.

Hot news note 3674774 addresses a critical missing authentication check impacting background RFCs in SAP NetWeaver AS ABAP. In addition to applying the recommended support package, profile parameter rfc/authCheckInPlayback should be set to the value 2 to enable stronger authorization checks for transactional (tRFC) and queued RFC (qRFC) calls.

Note 3697567 enhances verification procedures for the XML signatures to address an XML Signature Wrapping in NetWeaver AS ABAP. As a workaround, the vulnerable XML verification mechanisms can be avoided by disabling SAML and switching to alternative authentication methods.

Note 3705882 patches an information disclosure vulnerability in the ST-PI Addon installed in NetWeaver AS ABAP systems. The vulnerability can be exploited to obtain sensitive system information.

Notes 3674246, 3678282 and 3654236 address open redirect and denial of service vulnerabilities in SAP BusinessObjects.

The post SAP Security Notes, February 2026 appeared first on Layer Seven Security.

The Digital Operational Resilience Act (DORA) is a regulation that mandates standards for cybersecurity and operational resilience in the financial sector within the European Union (EU). It provides standards for governing risks in Information and Communications Technology (ICT) to ensure banks, insurers, investment firms, and other financial institutions are able to deliver critical services by effectively resisting, responding and recovering from ICT disruptions. The act took effect on January 17, 2025, with oversight from the European Supervisory Authorities EBA, ESMA, and EIOPA, to define and enforce technical standards for the regulation.

The Five Pillars of DORA

DORA’s core objective is to support the integrity and continuity of financial services against ICT risks including cyberattacks. The regulation includes the following five pillars:

1. Risk Management: a comprehensive governance and control framework covering ICT asset inventory, protection, detection, response, recovery, backup, logging and monitoring, change management, and resilience-by-design.
2. Incident Management and Reporting: consistent handling of ICT incidents and mandatory reporting of major incidents.
3. Operational Resilience Testing: vulnerability assessments and penetration testing focused on critical functions.
4. Third-Party Risk Management: oversight for ICT vendors and providers including outsourced services.
5. Information Sharing: mechanisms to share cyber threat information and intelligence to strengthen sector-wide resilience.

The Impact of DORA for SAP Solutions

For many financial services organizations, SAP solutions support critical functions such as procurement and supplier operations, human resource management, and finance and controlling. Therefore, they are often part of the ICT fabric that must be governed, monitored, tested, and recoverable for DORA compliance. Under DORA, SAP solutions require tight integration with:

• ICT Risk Governance, including the definition of key risk indicators and controls testing.
• SOC Operations, including detection, triage, and handling of incidents.
• Service Management, including approvals, evidence, and testing for changes.
• Supplier Management, including managing hosting providers, system integrators, and external integrations such as APIs.  

DORA effectively obliges organizations to manage SAP solutions as regulated platforms, requiring baseline controls, continuous monitoring, regular patching, frequent testing, and periodic reporting.

DORA Compliance with the Cybersecurity Extension for SAP

The Cybersecurity Extension for SAP (CES) enables organizations to comply with DORA by identifying and managing ICT risks in SAP solutions, detecting and responding to security incidents, securing third party integrations, and verifying and reporting compliance with SAP security benchmarks. The solution supports compliance with each of the five pillars in DORA for SAP systems.

Pillar 1 – Risk Management

• Continuous SAP security monitoring including the detection of security-related changes in SAP solutions.
• SAP-specific vulnerability management including the detection of 5000+ security weaknesses in SAP.
• Custom code security including the detection of 300+ vulnerabilities in custom ABAP programs and SAP UI5 / Fiori applications.
• SAP patch management including the detection of relevant security notes and support packages.
• Alignment to SAP-specific baselines and cloud hardening benchmarks including the SAP Security Baseline, security guidance for S/4HANA, and SAP RISE/ECS mandatory security requirements.

Pillar 2 – Incident Management and Reporting

• Threat detection:  Detection and alerting for 1500+ Indicators of Compromise (IOC) in SAP solutions including application, database and host-level logs.
• Risk-based prioritization of SAP alerts based on operational impact for rapid classification.
• Standard operating procedures and workflows for investigating, tracking and reporting on incident investigations.

Pillar 3 – Operational Resilience Testing

• Compliance monitoring and baseline checks to validate SAP hardening.
• Threat detection exercises for SAP attack paths including privilege escalation, interface abuse, suspicious admin changes, and calls to critical SAP function modules, reports, services, and transactions.
• Daily vulnerability scanning to support risk identification and mitigation.

Pillar 4 – Third-Party Risk Management

• Visibility into external interfaces in SAP solutions including cloud connections.
• Evidence for SAP RISE / managed-service security requirements.
• Accountability for system integrators against SAP security standards.

Pillar 5 – Information Sharing

• SAP-specific security intelligence including threat detection patterns, CVEs, and zero-day vulnerabilities.
• Standardized reporting for information sharing with cross-functional teams and sector forums.

The Cybersecurity Extension for SAP supports digital resilience and DORA compliance by ensuring security for SAP solutions is measurable, monitored, and audit-ready. It provides continuous evidence evidence of SAP hardening, while strengthening operational resilience through incident detection, streamlined response, and reduced exposure to cyber risks.

The post Digital Operational Resilience Act (DORA) Compliance for SAP Solutions appeared first on Layer Seven Security.

Hot news note 3694242 deals with another critical vulnerability in SAP S/4HANA that can be exploited to perform arbitrary ABAP code and OS commands and bypass authorization checks. The vulnerability effectively functions as a backdoor, leading to the risk of full system compromise. The correction in the note removes the vulnerable code. Although a workaround is not included in the note, it is possible to also use authorization object S_RFC to temporarily address the vulnerability by restricting access to the affected function group.

Note 3697979 addresses a similar critical ABAP code/OS command injection vulnerability in SAP Landscape Transformation.

Note 3668679 patches a remote code execution vulnerability in SAP Wily Introscope Enterprise Manager. The vulnerability can be exploited to execute commands in workstations using malicious JNLP (Java Network Launch Protocol) files accessible via URLs. Wiley Enterprise Manager should be upgraded to version 10.8 SP01 Patch 2 (10.8.0.220) to remove the vulnerability.

Note 3691059 fixes a privilege escalation vulnerability in SAP HANA that can be exploited by attackers to gain administrative access to the database. The correction in the note prevents unauthorized user switching to remove the root cause of the vulnerability.

Notes 3675151 and 3688703 deal with high-risk OS command and missing authorization check vulnerabilities in SAP NetWeaver AS ABAP.

Note 3565506 addresses multiple vulnerabilities in the SAP Fiori Application Intercompany Balance Reconciliation. The impacted components include S4CORE in SAP S/4HANA.

The post SAP Security Notes, January 2026 appeared first on Layer Seven Security.

SAPinsider’s RISE with SAP 2025 benchmark report, co-sponsored by Layer Seven Security, was released in December. Based on a survey of 122 SAPinsider community members conducted between August and November 2025, the study focuses on customer adoption of SAP Cloud ERP Private (formerly referenced in the survey as RISE with SAP) and the factors shaping migration decisions. From a security standpoint, the most material finding is broad customer non-compliance with the shared model of responsibility, and more specifically, failure to implement and sustain SAP’s mandatory security hardening requirements documented in relevant SAP notes for SAP systems operating in SAP’s cloud delivery model.

Broad Non-Compliance with Customer Security Responsibilities

The report identifies a significant gap between SAP’s cloud security expectations and customer execution. While SAP delivers and operates key elements of the cloud platform, customers remain accountable for critical security outcomes, including secure configuration, access controls, and compliance with SAP-defined hardening standards.

Two key findings stand out:

• Less than half (45%) of respondents are aware of and actively following the shared responsibility model for SAP Cloud ERP Private security.
• Approximately one-third are aware of the model but do not follow it rigorously, indicating that a majority of organizations either do not fully understand or are not consistently executing their responsibilities.

This is not a minor administrative gap. The report explicitly warns that failure to follow both the shared responsibility model and SAP’s mandatory hardening requirements leaves systems open to attack. For leadership teams, the implication is straightforward: cloud migration does not transfer accountability for SAP security outcomes to SAP. If required customer-side controls are not implemented and maintained, the organization bears the risk.

Hardening Requirements Are Frequently Missed

The report goes beyond general security awareness and points to a more specific and operational problem: customers running SAP Cloud ERP Private in SAP’s cloud delivery environment must comply with SAP’s mandatory security parameters and hardening requirements, as documented in relevant SAP notes for ABAP, HANA and Java systems and related components. This includes notes 3250501, 3480723 and 3381209.

The report underscores that non-compliance with these requirements materially increases exposure. In business terms, required hardening defines baseline expectations for how SAP systems must be configured to reduce preventable attack paths. Failure to apply those settings—consistently and over time—creates vulnerabilities that can persist in SAP solutions.

Compliance Is a Moving Target

A key challenge highlighted in the report is that SAP security compliance is not static. SAP regularly updates mandatory parameters and hardening guidance in response to new threats, vulnerabilities, platform changes, and evolving best practices. As a result, a system that was compliant at go-live may drift out of compliance over time even without major architectural change.

This creates a practical operational risk: compliance must be managed as an ongoing discipline, not a one-time implementation deliverable. Organizations need repeatable processes to track new and updated SAP security guidance, assess its applicability, validate their current posture, and remediate gaps across their SAP landscapes.

Business Risk of Non-Compliance: Support, Liability, and Exposure

The consequences of non-compliance extend beyond technical risk and into contractual and legal exposure:

• Support risk: When hardening requirements and mandatory parameters are not implemented, incident response becomes more complicated. In high-severity security situations, customers may face delays and friction in diagnosis and remediation, and their position with SAP support can be weakened if the environment is not aligned with required security standards.
• Legal and regulatory risk: In the event of a data breach, organizations are often required to demonstrate that they followed vendor-prescribed security requirements and reasonable security practices. If an organization cannot demonstrate compliance with SAP’s documented security hardening guidance, it can weaken the company’s defensibility, increase regulatory scrutiny, and raise the likelihood of fines, penalties, litigation, and reputational harm. Ultimately, under a shared responsibility model, the customer retains accountability—and therefore liability—for customer-controlled security controls.

Additional Survey Indicators Relevant to Security Posture

Although the report is broader than security, several survey results reinforce the importance of establishing a robust cloud security operating model:

• 80% of respondents identify comprehensive monitoring to ensure system health and security as a key requirement for their ERP transformation and innovation initiatives.
• 79% indicate the need for best-practice compliance checks that avoid outages, underscoring that organizations see compliance and stability as tightly linked.

These findings align with the report’s security message: maintaining control effectiveness requires continuous monitoring and governance, not periodic reviews.

How the Cybersecurity Extension for SAP from Layer Seven Security Addresses These Challenges

The report’s core security finding—customer non-compliance with evolving security requirements—directly aligns with the capabilities of Layer Seven Security’s Cybersecurity Extension for SAP. The solution is designed to help organizations operationalize their security responsibilities in SAP RISE / Cloud ERP environments where configuration, compliance, and threat conditions change over time.

At a business level, it supports three outcomes:

1. Continuous monitoring against current hardening requirements: Automated checks against SAP security baselines help identify non-compliance as SAP standards evolve, rather than relying on periodic manual reviews.
2. Reduced risk from compliance drift: Ongoing visibility into configuration posture helps prevent gradual degradation of security controls due to system change, integration expansion, or operational turnover.
3. Improved audit and support readiness: Continuous evidence of compliance strengthens governance, improves audit defensibility, and supports more effective engagement during incidents and escalations.

This approach acknowledges the operational reality emphasized by the report: compliance is a moving target, and organizations need a sustainable mechanism to remain aligned to SAP’s required security standards.

Key Takeaways

The most significant security issue identified in the SAPinsider RISE with SAP 2025 report is customer non-compliance. A majority of organizations are not fully executing their responsibilities under the shared security model, and the most consequential example is failure to comply with SAP’s mandatory hardening requirements documented in SAP notes. Because these requirements evolve over time, compliance must be treated as an ongoing operational discipline—supported by clear accountability, continuous monitoring, and repeatable remediation processes—to reduce operational, legal, and reputational risk in SAP Cloud ERP Private environments.

The full benchmark findings will be presented by Robert Holland, Vice President and Research Director at SAPinsider, on Tuesday, January 13, 2026. You can register for the webinar at SAPinsider.

The post Key Security Findings from the RISE with SAP 2025 Benchmark Report appeared first on Layer Seven Security.