limkedin Skip to main content

Detecting SAP RFC Gateway exploitation (attempts) 

To prevent unauthorised access to your SAP systems  


Our recently launched SAP Threat Detection solution enables real-time monitoring and detection of (cyber) threats. An important potential threat is the exploitation (attempts) via vulnerable SAP RFC Gateways. 

Why are SAP RFC Gateways a potential security problem?  

Vulnerable SAP RFC Gateways provide unauthenticated access to SAP systems. Even today many organisations are unaware of this risk and by default there is no monitoring in place notifying customers of active exploitation (attempts). 

What is an SAP RFC Gateway? 

image - Detecting SAP RFC Gateway exploitation (attempts) 

The SAP RFC Gateway is a technical component embedded in each SAP ABAP and JAVA system and is responsible for several types of communication in SAP systems. If not properly secured, this component allows unauthorized execution of Operating System commands that easily lead to a full compromise of the SAP system involved. Unfortunately, an improper configuration of this component was, and still is, not that uncommon. SAP has shipped SAP systems for many years with an insecure default setup. This has improved over the past few years for new installations, but many customers that installed SAP systems in the past, are still running an unsecure setup and are therefore vulnerable. 

How can an SAP RFC Gateway be exploited? 

In our experience with SAP penetration tests in the past 10 years, many times unsecured RFC gateways provided an easy way into SAP systems. For example, because it allows execution of OS commands, reading of data from the database but also updating data in the database. This may lead for example to remote creation of SAP users with SAP_ALL privileges. Some examples are demonstrated in the video below that we created for a security conference already back in 2010(!). Illustrating that this is an old security flaw in SAP systems, which we still find at times at customers. 

How to monitor and detect SAP RFC Gateway exploitation attempts? 

Obviously, the impact of the RFC Gateway exploitation is high because access to all system data is possible. But there is another challenge; SAP customers are typically unaware if their SAP systems are under attack since there is no alerting / monitoring in place by default. Without additional monitoring, SAP customers are sailing blind and won’t know about RFC Gateway exploitation (attempts) to their systems. Existing, non-SAP, monitoring solutions typically operate on network- or operating system level and don’t detect these activities. That is why there is a need for specific solutions on SAP application level, like the Protect4S Threat Detection solution.  

To monitor the above-mentioned activity, two use cases within the Protect4S Threat Detection solution enables active monitoring for RFC Gateway exploitation (attempts). These use cases can be modified and exceptions can be made for example for specific systems or hosts, to prevent false positives. Some 3rd party products use the RFC Gateway in a legitimate way and those products can have an exception, for example when operated from a specific subnet:  

image - Detecting SAP RFC Gateway exploitation (attempts) 



In case RFC Gateway exploitation (attempts) are detected, the Protect4S Threat Detection solution will create a threat that can be sent to a SIEM / SoC for further processing. This will help the organisation to quickly respond to suspicious activities without going through too many irrelevant alerts. A threat alert contains all relevant information for further containment; details about the involved user, hostname, executed OS command and the original event that triggered the threat plus references for more information. For example: 


image - Detecting SAP RFC Gateway exploitation (attempts) 



Key takeaways 

To summarise the above, SAP RFC Gateway exploitation attempts pose a high risk to your SAP landscape but no longer need to be a blind spot. Detecting them at an early stage will prevent further risks to your SAP systems. Protect4S SAP Threat Detection is a powerful solution that helps organisations protect their sensitive data in SAP systems from unauthorised access. By using default best-practice values and setting up custom rules, organisations can quickly detect and respond to suspicious activities and prevent compliance and security breaches which might lead to fraud, espionage or sabotage. 

Interested to learn more? Want a demo? Or start a free Proof of Concept? We are happy to tell you more about our SAP Vulnerability Management and SAP Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!