Code Injection Vulnerability in SAP Landscape Transformation (SLT)

Overview

CVE-2025-31330 is a critical vulnerability in SAP Landscape Transformation (SLT), specifically affecting the Analysis Platform component. The flaw enables authenticated users to inject arbitrary ABAP code into the system through a remotely exposed RFC function module. The vulnerability bypasses key authorization checks, effectively acting as a backdoor and posing significant risk to system confidentiality, integrity, and availability.

Technical Details

The vulnerability is categorized under CWE-94: Improper Control of Generation of Code (‘Code Injection’). It exists due to the improper validation of input passed to a function module accessible over RFC. Users with limited privileges can exploit this flaw to execute arbitrary code, thereby escalating privileges and compromising the SAP environment.

The vulnerability is remotely exploitable without user interaction and impacts systems configured with affected SLT versions. The attack can result in:

• Unauthorized execution of ABAP code
• Bypassing of critical authorization mechanisms
• Complete takeover of the affected SAP system

CVSS Score and Vector

Base Score: 9.9 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

This vector indicates a network-based attack with low complexity, requiring only low privileges, and affecting multiple security domains (scope changed).

Affected Products

• SAP Landscape Transformation (Analysis Platform)
  Versions: DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731

Mitigation and Recommendations

SAP has addressed this vulnerability in its April 2025 Security Patch Day. Organizations using the affected SLT versions should:

• Apply SAP Note 3587115 immediately
• Restrict RFC access to trusted users and IP ranges
• Audit RFC-enabled function modules and related authorizations
• Monitor systems for unusual ABAP code executions or privilege escalations

Conclusion

CVE-2025-31330 is a critical reminder of the risks posed by improperly secured remote function modules in enterprise software. Given the potential for full system compromise, prompt remediation is essential.