![Beitragsbild zu SAP Remote Function Call (RFC) Vulnerabilities in 2023](https://www.all-about-security.de/wp-content/uploads/2023/06/important-g610ae421f_640.jpg)
In 2007, Onapsis CEO & Co-founder Mariano Nuñez presented several vulnerabilities and attacks affecting the RFC Protocol at Black Hat Europe. That presentation became a call-to-action for the research community to dedicate time into improving the security of SAP applications and SAP Protocols.
On June 29, 2023–sixteen years later–Fabian Hagg, a security researcher with vast experience in SAP applications, presented at the TROOPERS Conference in Heidelberg, providing details of four vulnerabilities affecting the RFC protocol. He is credited with reporting these vulnerabilities which can be chained and combined by attackers to take over SAP applications running the RFC Protocol.
SAP RFC Vulnerabilities
The presentation by Fabian Hagg incorporated the release of a whitepaper including details of the RFC protocol and some proof of concept code and details for the following vulnerabilities:
- CVE-2023-0014 (SAP Security Note 3089413) – CVSS 9.8
- CVE-2021-27610 (SAP Security Note 3007182) – CVSS 9.8
- CVE-2021-33677 (SAP Security Note 3044754) – CVSS 7.5
- CVE-2021-33684 (SAP Security Note 3032624) – CVSS 5.3
Due to the potential criticality of the disclosed vulnerabilities, unprotected SAP applications could be compromised by remote unauthenticated attackers, with potential to affect the integrity, confidentiality, and availability of these applications. Furthermore, due to the critical nature of SAP applications and its business processes, attackers could engage in performing espionage (accessing business information), sabotage (disrupting business processes) or fraud attacks (modifying business data.)
Resolving These Vulnerabilities
The solution to the different vulnerabilities are diverse and involve patching the SAP Kernel as well as upgrading the SAP_BASIS software component. In some cases, both are required so patching these vulnerabilities requires time and preparation. Some of these patches have been released two years ago and some as recently as several months ago, so it is possible that many organizations have already implemented at least some of the solutions. However, it is important to check your systems against these vulnerabilities to ensure you have both patched and upgraded your software.
I highly encourage your team to evaluate your systems against these vulnerabilities. All existing Onapsis Assess customers have the ability to check if the associated SAP Security Notes are relevant for their systems and whether they have been applied since the notes were published. Additionally, customers with the Threat Intel Center will receive an update with details of this research along with a listing of any system that is still vulnerable.
Fachartikel
![Featured image for “Wie man Microsoft 365 für CISA sichert: SCUBA leicht gemacht”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_732158194_S.jpg)
Wie man Microsoft 365 für CISA sichert: SCUBA leicht gemacht
![Featured image for “10-mal schnellere Lösung von Sicherheitsproblemen”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_25455703_S.jpg)
10-mal schnellere Lösung von Sicherheitsproblemen
![Featured image for “Jenseits von Penetrationstests: Crowdsourced Cyber-Security”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_204054734_S.jpg)
Jenseits von Penetrationstests: Crowdsourced Cyber-Security
![Featured image for “DDoS-Angriffe auf Technologieunternehmen: Die wachsende Bedrohung”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_145060697_S.jpg)
DDoS-Angriffe auf Technologieunternehmen: Die wachsende Bedrohung
![Featured image for “Kontinuierliche Ransomware-Validierung: Warum jährliche Tests nicht mehr ausreichen”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_19125253_S.jpg)
Kontinuierliche Ransomware-Validierung: Warum jährliche Tests nicht mehr ausreichen
Studien
![Featured image for “Neue Studie von ISACA zeigt, dass die Budgets für Datenschutz 2025 sinken werden”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_181029194_S.jpg)
Neue Studie von ISACA zeigt, dass die Budgets für Datenschutz 2025 sinken werden
![Featured image for “KI-gestützter Identitätsbetrug auch 2025 weiter auf dem Vormarsch”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_435022046_S.jpg)
KI-gestützter Identitätsbetrug auch 2025 weiter auf dem Vormarsch
![Featured image for “Wissenschaftler der Universität Paderborn entwickeln App, die sicheres digitales Verhalten fördert”](https://www.all-about-security.de/wp-content/uploads/2024/10/app-68002_6401.jpg)
Wissenschaftler der Universität Paderborn entwickeln App, die sicheres digitales Verhalten fördert
![Featured image for “HP Wolf Security-Studie: Sicherheitslücken bedrohen Unternehmen in jeder Phase des Gerätelebenszyklus”](https://www.all-about-security.de/wp-content/uploads/2024/12/Depositphotos_10846788_S.jpg)
HP Wolf Security-Studie: Sicherheitslücken bedrohen Unternehmen in jeder Phase des Gerätelebenszyklus
![Featured image for “Neue Studie deckt Anstieg der SAP-Automatisierung bei zunehmender S/4HANA-Migration auf”](https://www.all-about-security.de/wp-content/uploads/2024/11/Depositphotos_525824074_S.jpg)
Neue Studie deckt Anstieg der SAP-Automatisierung bei zunehmender S/4HANA-Migration auf
Whitepaper
![Featured image for “Neuer Sicherheitsstandard für IT-Produkte veröffentlicht”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_8311837_S.jpg)
Neuer Sicherheitsstandard für IT-Produkte veröffentlicht
![Featured image for “PQC-Verschlüsselung – Was die neue Bekanntmachung des NIST für die Umstellung bedeutet”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_108766172_S.jpg)
PQC-Verschlüsselung – Was die neue Bekanntmachung des NIST für die Umstellung bedeutet
![Featured image for “Allianz Risk Barometer 2025”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_1272614_S.jpg)
Allianz Risk Barometer 2025
![Featured image for “Start der elektronischen Patientenakte: 65% der Deutschen fühlen sich schlecht informiert”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_170397486_S.jpg)
Start der elektronischen Patientenakte: 65% der Deutschen fühlen sich schlecht informiert
![Featured image for “Globaler Ausblick auf die Cybersicherheit 2025 – Orientierung in der zunehmenden Cyberkomplexität”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_127153934_S.jpg)
Globaler Ausblick auf die Cybersicherheit 2025 – Orientierung in der zunehmenden Cyberkomplexität
Hamsterrad-Rebell
![Featured image for “10-mal schnellere Lösung von Sicherheitsproblemen”](https://www.all-about-security.de/wp-content/uploads/2025/01/Redsift_RedSift_Radar_titel_jiw.jpg)
10-mal schnellere Lösung von Sicherheitsproblemen
![Featured image for “Network Access Enforcement”](https://www.all-about-security.de/wp-content/uploads/2025/01/Watchguard_Titel_jiw.jpg)
Network Access Enforcement
![Featured image for “Maximale Sicherheit und Produktivität: Worauf es bei der Einführung von Microsoft Copilot ankommt”](https://www.all-about-security.de/wp-content/uploads/2025/01/Varonis_Titel_jiw.jpg)
Maximale Sicherheit und Produktivität: Worauf es bei der Einführung von Microsoft Copilot ankommt
![Featured image for “Vertrauen in große Anbieter: Realität oder Illusion”](https://www.all-about-security.de/wp-content/uploads/2024/12/Exeon_Dezember_titel_jiw.jpg)
Vertrauen in große Anbieter: Realität oder Illusion
![Featured image for “Wie lasse ich meine SAP Systeme in der Cloud laufen, damit die Kosten übersichtlich bleiben?”](https://www.all-about-security.de/wp-content/uploads/2024/12/Alina_Dezember_24_jiw.jpg)