Exploiting the Core: Inside the BTP and ABAP Security Vulnerabilities Weaponized by Attackers

As organizations aggressively adopt the SAP Business Technology Platform (BTP) to achieve a modern, agile architecture, the traditional security boundary around the enterprise resource planning (ERP) system is shifting. SAP drives the Clean Core strategy to move custom logic out of the core system. However, migrating custom applications to the cloud does not automatically eliminate vulnerability risks.

In Episode 1 of our docuseries, Hacking & Defending SAP Applications Live, Onapsis researchers Ignacio Favro and Fabian Hagg analyzed the first mass-exploited SAP zero-day (CVE-2025-31324 and CVE-2025-42999). Sophisticated threat actors leveraged this previously unknown flaw to compromise hundreds of SAP customers.

Building directly on those insights, Hacking and Defending SAP Applications Live: Clean Core, Dark Shadows (Episode 2 of our docuseries) moves from perimeter threats to the application layer. In this briefing, Onapsis CTO JP Perez-Etchegoyen presents two high-stakes threat scenarios showing how unverified ABAP custom code and BTP extensions have created a broad, complex attack surface that cybercriminals actively weaponize.

Scenario 1: The Well-Intended BTP Developer and Cloud-to-On-Premises Exploitation

The first scenario involves a classic challenge in modern enterprise development: a highly skilled, well-intended BTP application developer building custom Node.js and SAPUI5 cloud extensions without a deep background in application security. While attempting to deliver core business self-service functionality, this developer introduces critical coding flaws that allow an external attacker to pivot directly into the production back-end system.

Architectural diagram mapping an external attacker’s exploit path from an initial BTP Fiori application login, through IDOR and OS command injection flaws, to exfiltrating VCAP_SERVICES and hijacking destination credentials to compromise the on-premises S/4HANA core. 

Attack Chain:

[Attacker Login] ➔ [IDOR Exploitation] ➔ [OS Command Injection] ➔ [Exfiltrate VCAP_SERVICES] ➔ [Stolen OAuth Client Access] ➔ [On-Premises Core Compromise] 

The Initial Foothold: Insecure Direct Object References (IDOR)

An attacker logs into a clean, modern Fiori self-service application using a legitimate, low-privileged employee account belonging to a user named Sam Brennan. While browsing their own profile, the attacker notices that user information is fetched via specific parameters within the application URL string.

By executing a basic IDOR attack and altering the parameter value, the application logic fails to perform an explicit authorization check. This flaw instantly allows the low-privileged account to view the restricted profile data and executive compensation records of other users, including the corporate CEO.

The Pivot: Cross-Site Scripting (XSS) and Session Exfiltration

The attacker identifies that the profile bio text block lacks proper input validation and sanitization. By injecting a persistent XSS payload into the field, the malicious code is saved directly to the database. Every subsequent user or system administrator who views that specific profile triggers the script, allowing the attacker to silently exfiltrate session data and compromise executive accounts.

Weaponization: OS Command Injection and Cloud Storage Stealing

The application includes a legitimate utility that allows personnel to export their monthly payslips. The attacker discovers that the file processing function accepts input characters without strict validation, exposing an OS command injection vulnerability.

The attacker inputs malicious command strings into the filename parameter, forcing the underlying Cloud Foundry back-end to print its internal system architecture and environment data variables (VCAP_SERVICES).

Code Snippet: Vulnerable Node.js Endpoint on SAP BTP

app.get(‘/payslip-download/:filename’, function (req, res) {

  var filename = req.params.filename;

  try {

    const output = cp.execSync(

      ‘cat /tmp/payslips/’ + filename + ‘.txt’,

Onapsis Control Identifying the Issues 

Exfiltrating the Destination Service Credentials

The raw structure of VCAP_SERVICES contains highly confidential client IDs and client secrets used to connect the BTP application to the centralized BTP destination service. Armed with these stolen credentials, the attacker executes a custom script directly against the destination service API endpoint.

The BTP destination service securely houses the technical usernames and passwords used to bridge cloud environments with on-premises networks. Because the destination configuration lacks robust zero-trust API restrictions, the script returns the plaintext administrative credentials for the production back-end S/4HANA core.

The attacker takes these stolen technical credentials and opens a direct connection to the business database, gaining full authorization to read sensitive tables and manipulate critical partner records.

Scenario 2: The Malicious Insider and the Untraceable User Buffer Backdoor

The second scenario focuses on a deliberate insider threat: a functional ABAP developer with standard developer authorizations who plants a hidden backdoor to execute massive financial fraud completely outside the visibility of classic security audits.

Insider threat attack architecture illustrates how a functional developer leverages a hidden backdoor inside a standard ABAP transport to directly manipulate the USRBF2 memory buffer, bypassing standard role-based controls entirely. 

Planting the Backdoor via Legitimate ABAP Transports

The business back-office requests a legitimate custom utility to scan master tables for duplicate vendor accounts and missing tax IDs. The developer writes a basic program that carries out the required analysis and maps it to a custom transaction code (zVMR). The code passes basic functional reviews and is transported through the standard landscape into the production system.

However, embedded deep within the custom logic is a hidden event block triggered only when a highly specific, undocumented function code is typed into the system command line window.

Code Snippet: Malicious ABAP User-Command Backdoor

” A structural abstraction of the hidden user buffer manipulation exploit

AT USER-COMMAND.

  CASE sy-ucomm.

    WHEN ‘XACCESS’.

      ” Memory manipulation of internal system buffers bypassing role permissions

      INSERT usrbf2 FROM TABLE lt_ins ACCEPTING DUPLICATE KEYS.

  ENDCASE.

Bypassing Role-Based Access Control via USRBF2 Tampering

Under ordinary circumstances, the developer has no authorization to access highly restricted user administration (SU01) or business partner management (BP) transactions. To bypass these restrictions, the insider runs the custom report and enters the secret command string into the command field.

This hidden code interacts directly with table USRBF2, the dedicated low-level database table that maintains the active user authority buffers in the system memory core. The backdoor directly injects a temporary entry into the developer’s local user buffer, granting them full SAP_ALL equivalent permissions across the application stack.

Executing Untraceable Fraud and Clearing the Evidence

Because this privilege escalation happens entirely inside the volatile memory buffer of the active user session, the change completely bypasses traditional security audit trail tools. If an auditor uses standard reporting tools like RSUSR002 or the User Information System (SUIM), the developer’s profile appears completely unchanged and restricted to basic developer permissions.

Attack Chain:

[Legitimate Developer Profile] ➔ [Memory Buffer Tamper] ➔ [Temporary SAP_ALL Escalation] ➔ [Execute Account Fraud] ➔ [Wipe Session Buffers] 

With full operational authority active, the developer launches the business partner transaction, targets an active global supplier profile, and updates the payment records with their own private bank details. Every automated invoice execution now routes real corporate funds directly to the insider’s account.

Once the fraud is completed, the insider enters a second undocumented command string that instantly purges the injected buffer modifications from the active user session. The developer profile drops back to its restricted state in seconds, leaving behind zero trace in standard configuration logs.

How to Secure Custom Logic Across BTP and ABAP Environments

Relying on manual code checks or static configuration assessments will not protect complex, modern landscapes from sophisticated threats. To maintain strict compliance and ensure continuous business visibility, organizations must build an automated, zero-trust quality gate into their code delivery processes.

Prerequisites

• Active development control over the SAP Business Technology Platform Cockpit and S/4HANA environments.
• Complete automation integration across modern Git code repositories and change management frameworks.
• Implementation of dedicated SAP application security testing software to enforce continuous development validation.

Step-by-Step Actions

1. Deploy In-Line IDE Analysis: Embed real-time code scanning directly inside developer environments like SAP Business Application Studio, Visual Studio Code, and Eclipse. Provide engineers with immediate, spell-check style feedback to correct common injection flaws and validation issues as they type.
2. Automate Repository Validation: Schedule automated bulk scans across collaborative Git repositories, ensuring all code at rest is evaluated before merging dependencies into the clean core architecture.
3. Enforce Change Management Gates: Configure the automated security platform to act as a mandatory quality gate within the SAP Transport Management System. Establish rules that flag malicious buffer adjustments or missing authorization checks, automatically stopping vulnerable transport requests before they move into production.
4. Establish Centralized Visibility: Correlate all custom application flaws, repository bugs, and productive configuration issues within a single centralized platform to track security baselines and maintain clear audit trails over time.

Verification

Attempt to package and push an ABAP transport request that injects modifications directly into memory buffer tables or an external BTP application script containing an unverified filename string. Verify that an automated testing tool like Onapsis Control immediately intercepts the request, blocks the deployment from passing through change validation gates, and alerts the Security Operations Center via your SAP threat detection software with precise context for remediation. 

Frequently Asked Questions

Can the SAP Clean Core methodology completely prevent application-layer code exploits?

No, the Clean Core approach does not eliminate software risk; it simply shifts custom extensions from the local on-premises core into the cloud environment of SAP BTP. If developers deploy cloud applications with poor authentication practices or OS command vulnerabilities, attackers can compromise those integrations to open a direct gateway straight back into critical internal databases.

How do malicious inside developers bypass standard access control security reviews?

Malicious developers use their technical expertise to inject backdoors directly into low-level memory tables, like the user authorization buffer table USRBF2, during runtime execution. Because these privilege adjustments occur temporarily inside memory buffers rather than permanent security roles, standard audit logs and traditional role review tools show no changes, making the exploitation untraceable to human reviewers.

Why are standard security scanners and network firewalls blind to SAP custom code vulnerabilities?

Network firewalls focus heavily on perimeter boundaries and packet-level inspection, making them unable to interpret or analyze the business logic running inside custom ABAP syntax or cloud-based OData integrations. Traditional security scanners lack deep, application-specific awareness of SAP protocols, which is why organizations require specialized automation to support true SAP vulnerability management and evaluate custom code before it enters production.