Skip to Content


Hi expect,

My leader wants to know if there is a vulnerability that can destroy the system program without logging in to the system.

(Even though I think it's impossible.)

It seems to have something to do with SAP basis. I'm just an ABAPer What I said can't make him believe.

I hope you can answer my questions from a professional perspective. Thank you in advanceļ¼

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Oct 25, 2019 at 11:16 AM

    Short answer: yes it is possible assuming someone exploits a known vulnerability, injects and executes malicious code. Security concerns around SAP systems have increased in the past decade, SAP vulnerabilities are being actively scanned around the world. These days you have companies specializing in SAP security including vulnerability and penetration testing.

    You should at least follow the SAP Security Response Wiki Page to know what vulnerabilities exist in your SAP system.

    Long answer: every system can be compromised given sufficient time and resources, you need to always keep security in mind. Security can mean physical security, network security, application level security, etc. With SAP, you should only open up access to the system where needed and configure your network accordingly. For example, do not expose your SAP system to the Internet unless you absolutely have to. At least always restrict port and protocol access using a firewall. If you need to expose your system to the Internet, at least have a system in between such as SAP Gateway that you expose rather than the actual system of record. Also, I recommend you use encrypted communication whenever possible, even inside the corporate network. Even more important is to keep up to date with security patches. You might have to patch your SAP system monthly just like you would patch your hardware, operating system, database, etc. Also, security has to be considered when implementing enhancements or creating custom solutions on top of SAP. Proper design and adherence to authorization concepts and best practices should always be a priority. Typically, SAP security is handled by three different teams: basis, development and security/governance/compliance. You can also have a dedicated security team or teams depending on your company size.

    I suggest you add the Security tag to have more visibility.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.