Introduction
Attackers with standard user access can achieve full system compromise in SAP Landscape Transformation (SLT) environments due to a critical ABAP code injection flaw. This issue enables bypass of core authorization checks and opens the door to persistent backdoor access, affecting the confidentiality, integrity, and availability of business-critical SAP systems.
About SAP and SLT: SAP SE is a dominant force in the enterprise software market, with over 440,000 customers globally. SAP Landscape Transformation (SLT) is a key component for real-time data replication and integration across SAP landscapes, underpinning many business-critical operations in large organizations.
Technical Information
CVE-2025-42950 is a code injection vulnerability (CWE-94) in SAP Landscape Transformation (SLT) that affects function modules exposed via Remote Function Call (RFC). The vulnerability arises from insufficient input validation and missing authorization checks in specific RFC-enabled function modules. Authenticated users can supply crafted input that is dynamically incorporated into ABAP code execution contexts.
When the vulnerable function module processes user-supplied data, it fails to sanitize or validate this input before using it in dynamically constructed ABAP statements. This allows an attacker to inject arbitrary ABAP code. The injected code executes with system-level privileges, bypassing standard SAP authorization mechanisms. This results in:
- Arbitrary code execution
- Full system compromise
- Potential for persistent backdoor creation
- Manipulation of business processes and data
The vulnerability is accessible to any authenticated user with RFC access to the affected function module, significantly lowering the exploitation barrier. The root cause is improper handling of user-controlled input in the ABAP runtime, specifically in the context of RFC-exposed modules within SLT.
Affected Systems and Versions
- Product: SAP Landscape Transformation (SLT)
- Vulnerable component: Function modules exposed via RFC
- Affected versions: Specific version information is not provided in the available sources. Organizations should consult SAP Security Note 3633838 for detailed affected version ranges and patch applicability.
- Vulnerable configuration: Any SAP SLT system exposing the affected function modules via RFC to authenticated users
Vendor Security History
SAP has experienced a series of critical vulnerabilities in 2025, including:
- CVE-2025-31324 (NetWeaver Visual Composer unrestricted file upload, CVSS 10.0)
- CVE-2025-31330 (SLT code injection, CVSS 9.9)
- CVE-2025-27429 (S/4HANA code injection, CVSS 9.9)
- CVE-2025-42999 (NetWeaver Visual Composer deserialization, CVSS 9.1)
SAP typically issues monthly security patches and has released out-of-cycle advisories for actively exploited vulnerabilities. The recurrence of code injection and deserialization flaws indicates ongoing challenges in secure development and code review processes.