CVE-2025-43010 Overview
CVE-2025-43010 affects the SAP S/4HANA Cloud Private Edition and on-premise deployments, specifically the Supply Chain Management (SCM) Master Data Layer (MDL) component. An authenticated attacker with SAP standard authorization can invoke a specific Remote Function Call (RFC) module to replace arbitrary Advanced Business Application Programming (ABAP) programs, including SAP standard programs. The vulnerability stems from missing input validation and absent authorization checks in the function module. SAP classifies the issue as code injection [CWE-94], with low confidentiality impact but high impact on application integrity and availability.
Critical Impact
Authenticated attackers can overwrite SAP standard ABAP programs, enabling persistent backdoors, business process tampering, and disruption of core ERP operations.
Affected Products
- SAP S/4HANA Cloud Private Edition (SCM Master Data Layer)
- SAP S/4HANA on Premise (SCM Master Data Layer)
- SAP standard ABAP programs deployed on affected S/4HANA systems
Discovery Timeline
- 2025-05-13 - CVE-2025-43010 published to the National Vulnerability Database
- 2025-05-13 - SAP releases SAP Note #3600859 on SAP Security Patch Day
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-43010
Vulnerability Analysis
The flaw resides in a Remote Function Call (RFC)-enabled function module within the SCM Master Data Layer of SAP S/4HANA. The module accepts caller-supplied input that controls which ABAP program source is written to the system. Because the function module lacks both input validation and authorization checks, any authenticated user holding SAP standard authorization can invoke it remotely. Attackers can therefore replace the source code of arbitrary ABAP reports, including SAP-delivered standard programs that execute with elevated business privileges.
Replacement of standard ABAP programs grants durable code execution within the ERP application server. Subsequent execution of the replaced program — whether triggered by a scheduled job, a business transaction, or a user-initiated report — runs attacker-supplied logic in the SAP application context. This affects integrity and availability of financial postings, supply chain master data, and other ERP workflows.
Root Cause
The root cause is a code injection condition [CWE-94] caused by two design defects: the function module accepts program names and source content without validating them against an allow-list, and it omits the AUTHORITY-CHECK statements that should restrict program modification to authorized developers. Production SAP systems normally forbid runtime modification of standard programs, but this RFC path bypasses those controls.
Attack Vector
Exploitation requires network access to the SAP gateway or RFC interface and valid credentials with SAP standard authorization — a low privilege level present on most production systems. The attacker calls the vulnerable function module through any RFC-capable client, supplying a target program name and replacement ABAP source. No user interaction is required. Successful exploitation results in immediate overwrite of the target program. Refer to SAP Note #3600859 for the technical specifics of the affected function module.
Detection Methods for CVE-2025-43010
Indicators of Compromise
- Unexpected modifications to standard SAP ABAP programs recorded in transaction SE38 version history or table REPOSRC.
- RFC call logs (SM59, gateway logs) showing invocations of SCM Master Data Layer function modules from unusual users or hosts.
- New or altered entries in the ABAP workbench transport logs without an associated change request approval.
- Security Audit Log (SM19/SM20) entries showing program edits performed by non-developer accounts.
Detection Strategies
- Enable the SAP Security Audit Log for all RFC function module calls and program changes, then alert on writes to standard SAP* program names.
- Baseline allowed RFC callers for SCM MDL function modules and flag deviations.
- Compare ABAP source hashes against a known-good snapshot taken immediately after patching.
- Correlate RFC activity with user role assignments to surface low-privileged accounts performing developer-level operations.
Monitoring Recommendations
- Forward SAP Security Audit Log, gateway log, and CDHDR/CDPOS change records to a centralized SIEM for long-term retention.
- Monitor table REPOSRC and transport requests for off-hours modifications.
- Track concurrent RFC sessions from a single user against multiple application servers, which can indicate scripted exploitation.
How to Mitigate CVE-2025-43010
Immediate Actions Required
- Apply the SAP patch referenced in SAP Note #3600859 to all affected S/4HANA systems.
- Audit current authorization assignments and remove SAP standard authorizations from accounts that do not require them.
- Review recent changes to standard ABAP programs and restore any unauthorized modifications from a clean backup.
- Rotate credentials for accounts that had access to the vulnerable function module before patching.
Patch Information
SAP published the fix on SAP Security Patch Day. Customers must download and apply the support package or correction instructions from SAP Note #3600859. Refer to the SAP Security Patch Day portal for the full advisory and prerequisite notes.
Workarounds
- Restrict RFC access to the SCM Master Data Layer function group via SM59 destination filters and gateway access control lists (reginfo and secinfo).
- Set the production system to not modifiable in transaction SE06 to block runtime program changes until the patch is deployed.
- Implement Unified Connectivity (UCON) to allow-list only required RFC function modules for external callers.
# Example SAP gateway secinfo entry restricting RFC callers
# secinfo file - allow only specific hosts to register RFC servers
P TP=* USER=* HOST=app-prod-01,app-prod-02 ACCESS=internal
D TP=* USER=* HOST=*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
