Arbitrary execution of RFC functions through BBP_PDH_PO_RESUBMIT

Impact on Business

This vulnerability allows an attacker to execute any function that exists in the system, therefore if there is, for example, a function that can delete/overwrite files or execute operating system commands, this could be affected from the business to a denial of service.

Vulnerability Details

In SAP CRM – versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization(S_RFC) can use a vulnerable interface(BBP_PDH_PO_RESUBMIT) to perform actions which they would not normally be permitted to. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability.

Solution

SAP has released SAP Note 3309056 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3309056

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

01/24/2023: Onapsis reports vulnerability to SAP
04/11/2023: SAP issues the patch.

References

Onapsis blogpost: https://onapsis.com/blog/sap-patch-day-april-2023/
CVE Mitre: https://www.cve.org/CVERecord?id=CVE-2023-27897
Vendor Patch: https://me.sap.com/notes/3309056

Back to Advisories

Advisory Information

Public Release Date: 08/26/25
Security Advisory ID: ONAPSIS-2024-0044
Researcher(s): Ignacio Oliva

Vulnerability Information

Vendor: SAP
Affected Components:
SAP BBPCRM 700, 701, 702, 712, 713
(Check SAP Note 3309056 for detailed information on affected releases)
Vulnerability Class: CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CVSS v3 score: 6.0 (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L)
Risk Level: Medium
Assigned CVE: CVE-2023-27897
Vendor patch Information: SAP Security NOTE 3309056

Affected Components Description

This vulnerability applies to systems with SAP CRM

versions 700, 701, 702, 712, 713

About our Research Labs

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

The Book on Cybersecurity for SAP

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

Your S/4HANA Cloud Journey