A new critical vulnerability, CVE-2023-7629, has emerged as a major threat to organizations relying on SAP NetWeaver AS ABAP, enabling attackers to execute remote code without authentication. What makes this vulnerability particularly alarming is that it exists even if NetWeaver is installed but not actively leveraged—meaning dormant instances remain susceptible to exploitation.

State-sponsored threat actors are already targeting financial institutions and manufacturing firms with advanced malware dubbed SAPphire, designed to evade detection and exfiltrate sensitive business data. Exploitation begins with a specially crafted HTTP request that bypasses security controls, triggering memory corruption in the SAP Internet Communication Manager (ICM) component. Once inside, attackers modify SAP configurations to establish persistence, allowing them to maintain control over compromised systems.

Given the severe impact, organizations cannot afford to wait. Here’s what must be done immediately:

‍

Apply Emergency Patches-Now
    SAP has released critical patches, and any delay in applying them     increases the likelihood of compromise. All organizations running     NetWeaver AS ABAP—whether actively used or not—must prioritize patching as a first-line defense

‍

Strengthen Network-Segmentation & Monitoring
    Attackers are leveraging encrypted command-and-control channels through     SAP protocols, making traditional security tools ineffective. Implementing     robust segmentation and deploying behavioral analytics can help detect abnormal SAP traffic and potential threats before they escalate.

‍

Conduct a Comprehensive-SAP Security Audit
    Given the attackers' deep understanding of SAP environments, organizations     must proactively assess SAP configurations, scheduled jobs, and access     controls to detect signs of unauthorized modifications. A detailed audit     is essential to prevent attackers from achieving long-term persistence.

With active exploitation already underway, businesses across industries—from government agencies to critical infrastructure operators—must act swiftly to safeguard their environments. CVE-2023-7629 is not just another vulnerability—it’s a ticking time bomb that could lead to significant financial and operational disruption if left unaddressed.

‍

Now is the time to harden defenses before your SAP systems become the next target. Are your security measures up to the challenge?

‍

Chuck Newton

Sr. Security Advisor

SASE Advisors