README
SAP Security Research Notes
My personal research notes on SAP security. Started this after running into SAP systems during pentests and realizing how complex and vulnerable they can be.
What's in here
- SAP Platform Overview - Basic stuff about what SAP is and how it works
- Known Vulnerabilities & CVEs - CVEs I found, some are pretty critical
- Security Testing Checklist - My pentesting checklist for SAP
- How-To Guides - Step-by-step instructions for actually testing SAP
- Defense & Mitigation - How to secure this mess
Quick notes for when I'm lazy
CVEs worth checking (recent ones)
- CVE-2025-31324 - Unauthenticated file upload in SAP NetWeaver Visual Composer (exploited in wild!)
- CVE-2025-42999 - Deserialization vuln in SAP NetWeaver Visual Composer
- CVE-2025-0070 - Auth bypass in SAP NetWeaver AS for ABAP
- CVE-2025-0066 - Info disclosure in SAP NetWeaver AS for ABAP
- CVE-2024-41730 - Missing auth check in SAP BusinessObjects BI Platform
Default ports I've seen
- 3200/tcp - SAP Dispatcher
- 3300/tcp - SAP Gateway
- 3600/tcp - SAP Message Server
- 8000/tcp - SAP ICM (Internet Communication Manager)
- 44300/tcp - SAP ICM HTTPS
- 50000/tcp - SAP Web Dispatcher
- 50013/tcp - SAP Web Dispatcher HTTPS
Common attack vectors that usually work
- Default credentials (admin/admin, sap/sap, etc.)
- Unpatched systems (SAP Security Notes not applied)
- Unsecured RFC interfaces
- Custom ABAP code vulnerabilities
- Misconfigured ICM/Web Dispatcher
- File upload vulnerabilities
- Deserialization attacks
Default credentials to try
- admin/admin
- sap/sap
- DDIC/19920707
- SAP*/PASS
- TMSADM/ADMIN
- EarlyWatch/SUPPORT
Why I made this
SAP systems are everywhere in enterprise environments and they're usually a goldmine for pentesters. Most companies don't patch them regularly and leave default configs. This is my cheat sheet for when I run into one.