Pentesting SAP S4 / NetWeaver: Protecting Your Most Valuable Systems
SAP S4/NetWeaver is the foundational platform that enables the integration and operation of many business-critical applications. It serves as the technological backbone of numerous SAP environments, supporting everything from financial management to logistics and human resources.
Due to its central role and integration with both internal and external systems, SAP systems are a highly attractive target for attackers aiming to compromise an organization’s infrastructure.
Penetration testing in SAP is fundamentally different from testing in traditional systems. Its technical complexity, use of proprietary protocols, and the critical nature of its processes demand specialized and cautious approaches. A single mistake can disrupt key operations, corrupt sensitive data, or even render the system unusable, potentially causing significant financial losses. Therefore, having professionals trained in SAP environments is essential.
SAP S4 / NetWeaver Architecture: Key Components
ABAP Stack
The ABAP stack is one of the core components of the SAP landscape. It is designed to run applications written in the ABAP language and relies on proprietary protocols such as RFC, DIAG, and others. A critical part of this stack is the SAP Gateway, which handles RFC communication between systems.
The Gateway has been the target of multiple Remote Code Execution (RCE) attacks, especially when access control lists are misconfigured or when dynamic function registration is enabled without restrictions. These misconfigurations can allow unauthenticated attackers to execute arbitrary code remotely and compromise the entire environment.
Java Stack
The Java stack forms the other major pillar of SAP. Unlike the ABAP stack, it leverages standard technologies and protocols like HTTP/S, J2EE, and SOAP, and powers the web-facing components of the system. A key tool in this stack is Visual Composer, which allows users to build SAP applications through a graphical interface without writing code.
Visual Composer is widely adopted due to its ease of use and rapid integration with business data. However, because it is web-exposed and connects to various backend services, it also presents a valuable attack surface, as demonstrated by the recent CVE-2025-31324, which we explore in detail later.
Common Misconfigurations
Many SAP environments suffer from misconfigurations that attackers often exploit. Some of the most common include:
- Unrestricted SAP Gateway access: Allowing dynamic RFC connections without authorization lists.
- ICM / Java HTTP applications open to the internet.
- Default credentials or enabled test/demo users.
- Disabled logging or inadequate monitoring policies.
- Insecure custom-developed code.
- Obsolete and unsupported systems.
The components most frequently targeted include:
- SAP Gateway
- ICM/HTTP Server
- SAP Web Dispatcher
- SAP Web Message Server Visual Composer
Pentesting Techniques in SAP
Our SAP penetration testing methodology blends deep technical expertise with safe, controlled practices to ensure system stability throughout the engagement.
We begin with passive reconnaissance to identify exposed services such as open ports, accessible endpoints, and software versions. Next, we perform targeted SAP-specific scans to detect weak configurations, unauthenticated access points, and risky enabled functions.
To validate our findings, we combine automated tools (e.g., SAP RFC scripts, Hashcat, and known public exploits) with careful manual testing, minimizing the risk of service disruption while ensuring comprehensive coverage.
Safe Testing Practices
During the engagement:
- We do not restart services or alter production data.
- Tests are conducted during pre-approved time windows, preferably in controlled environments.
- All actions are fully audited and traceable for accountability and reporting.
Case Study: CVE-2025-31324 in Visual Composer
What is Visual Composer?
Visual Composer is a visual development tool embedded in the SAP NetWeaver Java stack. It allows business users to create applications and interfaces without programming, connecting visually to backend business data. It’s used widely to accelerate the creation of dashboards, forms, and internal processes.
This tool accelerates internal process digitalization but, due to its exposure and access to sensitive backend data, it also introduces security risks if not properly configured / patched.
About CVE-2025-31324
This critical vulnerability affects SAP Visual Composer and allows unauthenticated attackers to upload arbitrary files to the server, including web shells. The flaw lies in an endpoint responsible for processing visual interface components, which fails to properly validate user-supplied content. This can be exploited to achieve Remote Code Execution (RCE) on the target system.
Impact and Risk
A successful exploitation could allow an attacker to:
- Execute Java code on the server without authentication.
- Take full control of the SAP Java stack.
- Access sensitive business data handled by Visual Composer apps.
- Pivot to other trusted or connected SAP systems, a technique known as lateral movement, commonly used by advanced attackers to expand their access across interconnected environments.
Mitigation Measures
- Apply SAP’s official security patch immediately, this patch is already available and as released as a high-priority security note to address the vulnerability.
- Restrict access to Visual Composer to internal networks and authorized users only.
- Audit logs for suspicious or unexpected usage of Visual Composer components.
Strengthening Your SAP Defenses
In SAP environments, security cannot be left to chance. The technical specifics of SAP S4 / NetWeaver, its business criticality, and the sophistication of its potential attack vectors require a highly specialized pentesting approach.
Our team goes beyond vulnerability detection. We help you understand the business impact of technical weaknesses, define effective mitigation strategies, and support the development of long-term security resilience in your SAP landscape.