SAP Security Audits by ESNC

Comprehensive Analysis of your SAP Landscape by Top Experts

SAP Vulnerability Assessment and SAP Security Audit Services by ESNC

ESNC consultants are publicly acknowledged by SAP for discovery and reporting of more than 100 security vulnerabilities. Get your systems assessed by the best professionals!

HOW it Works

CHOOSE YOUR SAP SECURITY ASSESSMENT TYPE  | DEFINE THE SCOPE | SETUP THE PROJECT DATE FOR EXECUTION

OPTION 1

In-depth SAP Security Analysis

Conduct a thorough security assessment across your entire SAP landscape, covering ABAP, Java, S/4HANA, Solution Manager, ERP, mobile, Fiori, and more. Identify and fix threats like OS command execution, SoD bypass, and password theft. Get expert advice on user setup, authorizations, BASIS security, patching, and SAP best practices.

OPTION 2

Application Security Assessment

Analyze your ABAP code against OWASP Top 10 vulnerabilities and ABAP specific vulnerabilities, such as ABAP injection, SQL injection, XSS and authentication bypass. Identify ABAP backdoors and mitigate risks based on our guidelines.

ESNC SAP SECURITY AUDIT & ASSESSMENT BENEFITS

Focus on Critical Business Risks – Open Gaps

Analyze SAP system security based on business functionality and impact. Identify vulnerability root cause and eliminate risks based on expert guidance.Get detailed explanation of issues, risks, and recommendations for mitigation, including references to SAP security guidelines.

False Positives? We don’t have any

All our security assessments go through an extensive quality check before the final delivery. All our findings are accurate and they provide proper evidence and recommendations for the technical teams and the management to understand the issues and work on the mitigating actions efficiently.

Answer to your question “What do we do next?”

Our SAP security review prioritizes critical vulnerabilities based on your landscape and interconnectivity, enabling quick-win focus.  Collaborating with your teams, we develop an action plan addressing root causes to prevent recurrence, aligning with your business processes.

Threat Analysis – Detection of Existing Breaches and Fraud

The in-depth security assessment includes an analysis of your security logs and business data to detect whether a breach of your system has actually happened.Did someone steal the customer or supplier list, download payroll information of the employees, change the bank details of a vendor and initiate a purchase? This and many other cases are assessed.

Establish SAP Security Baselines

Based on the results, align business requirements with proper security controls and collaborate with our experts to develop SAP security-hardening documents and baselines covering ABAP, SAP Java, SAP BASIS, and user authorizations.

Mind blowing Security Charts and Dashboards for Your Management

Our multivector threat analysis visually maps system threats, providing a clear, executive-level security posture overview of your SAP landscape, easily understood even without prior SAP knowledge.

ESNC’s Expert Advantage

Since its inception in 2009, ESNC has been dedicated exclusively to SAP security. Our experts have assisted numerous organizations in identifying and mitigating SAP vulnerabilities. All ESNC consultants are publicly recognized by SAP for their contributions to discovering vulnerabilities in SAP standard software.

Power and Speed by ESNC Security Suite

ESNC's SAP security consultants leverage the ESNC Security Suite during assessments for unparalleled speed and accuracy in identifying security vulnerabilities and potential breaches. The automated SAP security checks and inventory detection capabilities significantly reduce the time and effort required compared to manual consultancy approaches.

SAP Security Vulnerabilities Discovered and Reported by ESNC

  • ESNC has discovered and reported critical security vulnerabilities in SAP products, impacting various industries including Oil & Gas, Utilities, Banking, and Automotive.
  • These SAP security vulnerabilities enable attackers to bypass authorization restrictions, access sensitive business data (e.g., customer or procurement data), and manipulate critical business processes, including payment transactions.
  • Based on ESNC's findings, SAP has released patches or mitigation guidance to address these vulnerabilities. SAP publicly acknowledges ESNC's contributions to enhancing SAP security.
  • ESNC also discovered critical vulnerabilities in 3rd party SAP add-ons such as OpenText IXOS or XFT HR solutions.
  • We provide our customers with periodic workshops, risk management services, and develop vulnerability management processes tailored to SAP systems and applications.
  • Contact us today to proactively mitigate risks across your business landscape and achieve robust SAP security.
  • The following list represents a selection of released SAP security notes that resulted from ESNC's collaboration with SAP SE. These notes address vulnerabilities in SAP enterprise components, industry solutions, and front-end applications like SAPGUI, ultimately contributing to improved security across the SAP landscape.
  • This list is extensive, so we've included a representative sample of the items. Please note that some security patches, such as those related to SAP GRC, address multiple vulnerabilities discovered and reported by ESNC.
ESNC is an active contributor of the security community.
ESNC presented many vulnerabilities in SAP’s products which allow bypassing authentication, attacking digital certificates, or running remote operating systems commands, resulting in manipulation of business processes and theft of sensitive data.
ESNC presents its latest research in security conferences such as BlackHat, Defcon, CCC Annual Congress, RISK, Sec-T, so that the right people can take mitigating actions.
ESNC has developed proven methodologies to assess and secure SAP systems of top enterprises.
ESNC’s products are updated based on latest threats and discoveries on SAP security research.
Customers using ESNC’s products can be protected against many of the threats even before SAP patches them.
Location / Industry Solution
Vulnerability Discovered by ESNC
SAP's Patch ID
Gradient Background for the Hero Section
SAP Oil & Gas Industry - Materials Management
Remote ABAP Code Injection
SAP Security Note 1873131
SAP Automotive Industry - Core Module
Privilege Escalation & SoD Bypass
SAP Security Note 1860258
SAP GRC - Governance Risk and Compliance - Access Control
Privilege Escalation & SoD Bypass, Remote Arbitrary Program Execution
SAP Security Note 2039348
Banking - European Monetary Union
Remote Code Injection
SAP Security Note 1788426
All Industries - Password Cracking Attacks
Password Cracking
SAP Security Note 1484692
SAP Human Resources / Human Capital Management
Remote Arbitrary Program Execution
SAP Security Note 1779317
SAP Utilities Industry, SAP Public Sector, SAP Telecommunications Industry, SAP Media Industry - Contract Accounting
Privilege Escalation & SoD Bypass
SAP Security Note 1851835
All Industries - SAP Security Components (BC-SEC)
Decryption of Usernames and Passwords
SAP Security Note 1902611
SAP Environment, Health and Safety - Regulatory Checks Module
Remote Arbitrary Program Execution
SAP Security Note 1845802
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1902986
SAP Healthcare - Hospitals - Clinical System
Privilege Escalation & SoD Bypass
SAP Security Note 1691744
All Industries - SAP Solution Manager
Remote OS Command Execution
SAP Security Note 1940405
All Industries - Attacks to SAPGUI
Remote OS Command Execution on Connecting Workstations
SAP Security Note 1483525
All Industries - Attacks to SAP Cryptographic Components
Single Sign-on Attacks - Authentication Bypass
SAP Security Note 1497104
SAP Financing Source - Expenditure Certification
Remote Arbitrary Program Execution
SAP Security Note 1840304
All Industries - SAP Message Server Security
Password Sniffing - Man in the Middle
SAP Security Note 1421005
SAP Environment, Health and Safety - Dangerous Goods Management
Privilege Escalation & SoD Bypass
SAP Security Note 1673016
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1791089
SAP Human Resources - Personnel Administration
Remote Arbitrary Program Execution
SAP Security Note 1852738
Business Warehouse - BeX Business Explorer
Remote ABAP Code Injection
SAP Security Note 1885371
SAP Financial Supply Chain Management
Remote ABAP Code Injection
SAP Security Note 1858566
All Industries - Attacks to SAP Cryptographic Components
Bypassing authentication
SAP Security Note 1485029
SAP Java AS - Software Update Manager
Decryption of Usernames and Passwords
SAP Security Note 1842817
SAP Media Industry - Product Master Data Management
Privilege Escalation & SoD Bypass
SAP Security Note 1853040
All Industries - SAP Solution Manager
Admin password disclosure
SAP Security Note 1865109
Business Warehouse
Privilege Escalation & SoD Bypass
SAP Security Note 1971397
SAP Project Management
Privilege Escalation & SoD Bypass
SAP Security Note 1858474
SAP Invoice Management
Privilege Escalation & SoD Bypass
SAP Security Note 2015232
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1902402
Business Warehouse - BEx - Business Explorer
Remote Code Injection
SAP Security Note 1886051
Cost Controlling
Remote ABAP Code Injection
SAP Security Note 1511107
Document Management Services
Remote Arbitrary Program Execution
SAP Security Note 1842826
SAP Project Management
Remote Code Injection
SAP Security Note 1776695
SAP Database Monitors for Oracle
Remote Arbitrary Program Execution
SAP Security Note 1881914
All Industries - Attacks to SAP Transport Management System (TMSADM)
Password Cracking
SAP Security Note 1488406
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1795948
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1792354
Production Planning and Control
Privilege Escalation & SoD Bypass
SAP Security Note 1852955
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1905591
Supply Chain Planning
Privilege Escalation & SoD Bypass
SAP Security Note 1910737
Production Planning and Control
Privilege Escalation & SoD Bypass
SAP Security Note 1537089
Project-Oriented Procurement
Remote Arbitrary Program Execution
SAP Security Note 1862392
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1906568
All Industries - BASIS Communication Services
Remote OS Command Injection
SAP Security Note 1674132
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1856296
Enterprise Service Infrastructure - Web Service Infrastructure
Privilege Escalation & SoD Bypass
SAP Security Note 1776984
All Industries - SAPGUI Frontend Services
Remote Arbitrary Program Execution
SAP Security Note 1750997
SAP LiveCache Applications
Privilege Escalation & SoD Bypass
SAP Security Note 1889999
Basis Components - Administration Assistant
Remote OS Command Injection
SAP Security Note 1668224
Basis Components - Business Management
Privilege Escalation & SoD Bypass
SAP Security Note 1772498
Business Process Library
Remote Arbitrary Program Execution
SAP Security Note 1813734
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1843169
Controlling - Product Cost Planning
Privilege Escalation & SoD Bypass
SAP Security Note 1777228
Custom Development Management
Privilege Escalation & SoD Bypass
SAP Security Note 1771567
All Industries - Schedule Manager
Privilege Escalation & SoD Bypass
SAP Security Note 1771204
SAP Basis Components
Hardcoded Password
SAP Security Note 1774903
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1870485
SAP Quality Inspection
Privilege Escalation & SoD Bypass
SAP Security Note 1945300
SAP Production Orders
Remote Arbitrary Program Execution
SAP Security Note 1907712