Top 10 ABAP Code Vulnerabilities and Common S/4HANA Migration Mistakes

1. Missing Authorization Checks

This is the most common mistake in ABAP code-developers forget to add AUTHORITY-CHECK statements before critical data operations. Many developers wrongly assume that if a user has permission to run a transaction (T-code), they automatically have rights to view or modify all data within that transaction.

The problem is that SAP doesn't enforce authorization checks at the database level for custom code. As a result, a user with access to a simple materials report might see data for all plants and storage locations, even those they shouldn't have access to according to organizational structure.

2. SQL Injection in Open SQL and Native SQL

While Open SQL provides some protection, using dynamic conditions in WHERE clauses or executing Native SQL via ADBC interface opens the door to SQL injection attacks. Attackers can manipulate input parameters to change query logic, bypass filters, or access system tables like USR02 (password storage).

A critical example is CVE-2025-0063, discovered in RFC modules for Informix databases. It allowed users with minimal privileges to inject malicious SQL code into host variables, leading to complete compromise of database integrity and availability.

3. ABAP Code Injection

This vulnerability is rated critical (CVSS 9.9) and allows attackers to inject arbitrary ABAP statements directly into the system execution environment. Using constructs like INSERT REPORT or GENERATE SUBROUTINE POOL without proper authorization checks on S_DEVELOP object turns the system into an open book for attackers.

CVE-2025-42957 in the /SLOAE/DEPLOY module demonstrated how insufficient parameter validation in RFC functions allows low-privileged users to create new programs, execute OS-level commands, and create users with SAP_ALL privileges.

4. Cross-Site Scripting (XSS) in Web Dynpro and Fiori

With the shift to web-based interfaces like SAP Fiori and Web Dynpro ABAP, XSS has become one of the three most frequently patched vulnerabilities. The problem occurs when user-entered data is displayed in browsers without proper encoding.

Attackers can use XSS for phishing within the corporate network, intercepting authentication tokens, or performing unauthorized actions as an administrator.

5. Insecure Remote Function Calls (RFC)

RFCs are the backbone of communication between systems in SAP landscapes, but they're often configured insecurely. Common mistakes include no checks on S_RFC object, using trusted connections without restrictions, and exposing critical functions to external networks.

Attackers often use RFC for lateral movement. Compromising a secondary system connected via RFC to a productive S/4HANA environment allows attackers to use the trusted communication channel to execute commands in the business core.

6. Directory Traversal

Using OPEN DATASET with user-controlled parameters can lead to unauthorized reading or writing of files on the application server. If the file path isn't normalized, attackers can use ../ sequences to escape the allowed directory and access sensitive OS files or system logs.

7. Insecure Deserialization

Deserialization vulnerabilities like CVE-2025-30012 allow attackers to manipulate data objects passed between Java and ABAP stacks. If the system trusts incoming byte streams without validating their structure, attackers can inject "gadgets"-fragments of existing code that execute malicious actions during deserialization, up to remote code execution (RCE).

In ABAP development, this is relevant when using classes like CL_ABAP_SERIALIZER or passing complex data structures through binary interfaces.

8. Hard-coded Secrets

Storing passwords, API keys, or tokens directly in program code is a classic mistake that makes the system vulnerable to anyone with code viewing access (transactions SE38, SE80). These secrets also end up in version control systems and transport requests, becoming available at all landscape stages (DEV, QAS, PRD).

9. Missing Audit Trails

Many custom programs modify critical business data (such as prices or partner information) without leaving traces in system logs. In case of a security incident or internal fraud, the absence of an audit trail makes investigation and identifying culprits impossible.

10. Structural Defects and Performance Issues (ABAP Crimes)

While not always a direct vulnerability, poor code structure (lack of modularity, nested loops with database queries) can lead to Denial of Service (DoS). In S/4HANA environments designed for high-speed in-memory processing, unoptimized legacy code can paralyze the HANA database by consuming all available resources.

Mistake 1: Neglecting Role and Authorization Redesign

The most common mistake is trying to transfer existing roles from ECC to S/4HANA "as is." In S/4HANA, many transactions are obsolete or have been replaced (for example, MB1A, MB1B merged into MIGO). Additionally, implementing Fiori requires completely new authorizations for OData services and UI5 applications.

Failure to adapt the Segregation of Duties (SoD) matrix to the new Business Partner architecture (which combines vendors and customers) can lead to critical authorization conflicts enabling fraudulent activities.

Mistake 2: No "Clean Core" Strategy

Many companies continue developing complex extensions directly inside the system core, ignoring SAP recommendations to use SAP Business Technology Platform (BTP) for "Side-by-Side" extensions.

This leads to technical debt accumulation:

• Complications in future system updates
• Core instability due to custom code incompatibility with simplified HANA data models (e.g., ACDOCA table)
• Increased attack surface from millions of lines of unverified code inside ERP

Mistake 3: Data Integrity and Confidentiality Issues During Migration

Data migration often involves format errors, record duplication, and loss of historical links. From a security perspective, a critical mistake is transferring unanonymized personal data to test and sandbox migration environments-a direct GDPR violation.

Mistake 4: Insufficient Attention to OData and Fiori Security

Transitioning to web interfaces requires implementing new defense layers such as Web Application Firewall (WAF) and SAP Web Dispatcher. Many organizations make the mistake of opening access to OData services without proper backend authorization checks, relying only on visual restrictions in the Fiori application. Attackers can call services directly through browser developer tools and access data hidden in the UI.

Using ABAP Test Cockpit (ATC) and RedRays Solutions

Standard SAP tools like ATC and SAP Code Vulnerability Analyzer (CVA) provide basic security checks but often require additional licenses and complex configuration. The RedRays ABAP Security Scanner platform complements these tools by offering:

• Deep Data Flow Analysis (Taint Analysis): Tracks data path from user input to dangerous code operators
• Reduced False Positives: Thanks to SAP-context awareness, saving developer time
• CI/CD Integration: Allows code checking during writing, implementing a "Shift Left" approach

Secure Migration Recommendations

1. Conduct Full Custom Code Audit before starting migration using SAP Readiness Check and specialized scanners like RedRays ABAP Scanner
2. Implement "Clean Core" Principle: Remove unused code (Soft Cleaning technology) and move innovations to BTP
3. Automate Authorization Testing: Use tools for trace analysis and automatic role creation based on actual function usage
4. Ensure Infrastructure Security: Configure network segmentation, update OS and HANA DB patches, activate SAP Security Audit Log