- SAP Managed Tags
Weak passwords are an open invitation for cybercriminals, and SAP systems are no exception. Here are some Real-World Case Studies:
These are a few, but what is common in many of these attacks are broadly categorized into the following:
How to address these challenges?
1. Weak Passwords: It is quiet easy to remember “qwerty” passwords (those which are easy to type and remember.) In my experience, I’ve noticed that many organizations doesn’t enforce strong password policies which leaves a room to the users to set simple passwords. The 1st step towards securing your SAP systems is to define the passwords that are weak in nature and block them.
A great resource for commonly used passwords is the SecLists GitHub repository
Updating them in the USR40 table helps block commonly used passwords, reducing the risk of brute-force attacks and unauthorized access.
If your SAP system doesn’t have the USR40 table maintained/updated, it’s time for a quick update. Here is a simple yet effective way of updating USR40 table. Use the ABAP code, and upload the 10k password list:
ABAP Program to Mass Upload Forbidden Passwords to USR40:
Here’s the ABAP code to upload a text file directly from your desktop and update USR40.
ABAP Code – https://togglenow.com/assets/ABAP_code_ZPRG_UPDATE_USR40.txt
Download and create the ABAP program in your SAP system. Once the program is available, follow the steps mentioned below:
- Download the top 10,000 passwords from GitHub.
- Save as forbidden_passwords.txt (one password per line).
- Run the ABAP program using SE38 or SA38.
- Select the file from your desktop. (Ensure to have both Password, and Case sensitive fields)
- Execute the program to update USR40.
- Verify entries using SE16N.
NOTE: You may google for some additional commonly used passwords and add them following similar steps.
2. Secure Default SAP User Accounts:
The 1st step is to use RSUSR003 report to check active standard users. It is recommend to keep the key users – SAP* and DDIC locked. When SAP* ID is deleted from user master, it utilizes the one in the code with default password. This often becomes an easy option to the malicious hackers. Hence, SAP introduced a parameter login/no_automatic_user_sapstar which disables SAP* from being recreated. Set this parameter value to 1.
Additionally, ensure that only Firefighter IDs have access to S_USER_GRP with SUPER user group access so that no administrator has authorization to do any activities on these IDs such as resetting password, unlocking etc.,
It is also recommended to implement appropriate mechanisms to enforce strong password policies. The following activities are advised:
- Establish strong password policies
- Disable storing of old password hashes
- Avoid using hardcoded passwords
Each of these activities are further detailed in the subsections below.
2.1 Password Policies:
You should also reinforce password policies in SAP using the RZ10 profile parameters. Here are the key parameters that must be set:
- login/min_password_lng = 8 → Minimum password length of 8 characters.
- login/password_expiration_time = 90 → Passwords expire every 90 days.
- login/password_history_size = 5 → Prevents reuse of the last 5 passwords.
- login/password_complexity = 3 → Requires uppercase, lowercase, numbers, and special characters.
- login/password_specials = 1 → Ensures at least one special character.
- login/failed_user_lock = 3 → Locks account after 3 failed login attempts.
2.2 Credential Stuffing:
To protect passwords, the value of login/password_downwards_compatibility must be set to 0 to avoid storing older and vulnerable password hashes that can be attacked.
2.3 Hardcoded passwords:
Hardcoded passwords in ABAP programs pose significant security risks, as they can be easily exposed through code inspection or version control systems. Storing credentials directly in the source code makes them accessible to anyone with access to the development environment, increasing the risk of unauthorized access and data breaches.
For example, using statements like `CALL FUNCTION 'FTP_CONNECT' EXPORTING USER = 'FTPUSER' PASSWORD = 'ftp123'` or defining variables such as `lv_password = 'welcome1'` within the code is a poor security practice.
Instead, passwords and other sensitive data should be stored securely using mechanisms like the Secure Storage in SAP NetWeaver or retrieved dynamically through secure APIs or environment variables, ensuring that sensitive information is never exposed in plain text within the codebase.
3. Stolen Credentials through Phishing:
Phishing remains one of the most effective tactics for cybercriminals to gain unauthorized access to SAP environments. Attackers exploit social engineering techniques, deceptive emails, and fake login portals to trick employees into revealing their credentials. Once stolen, these credentials serve as an entry point for attackers to manipulate critical business data, execute fraudulent transactions, and escalate privileges, potentially compromising the entire SAP ecosystem. Here is an example:
Phishing-driven credential theft is not just an IT issue—it’s a business risk that can lead to financial loss, operational downtime, and reputational damage. Strengthening authentication, enhancing monitoring, and fostering a security-first culture are critical to securing SAP systems against evolving threats.
4. Unsecured RFCs:
Remote Function Calls (RFCs) are a core part of SAP architecture, enabling communication between systems and external applications. However, when these connections are left unsecured, they create serious vulnerabilities.
For example, if an RFC destination allows anonymous or hardcoded credentials, an attacker could use tools like SAP GUI or scripting frameworks to execute critical function modules such as `BAPI_USER_CHANGE` to modify user data or `RFC_READ_TABLE` to extract sensitive business information.
In some cases, RFCs are exposed without proper authorization checks, allowing unauthorized systems to call functions with elevated privileges. Additionally, unencrypted RFC connections can be intercepted, exposing credentials and data in transit. To secure RFCs, organizations should enforce strong authentication, apply role-based access control on RFC users, restrict connections to trusted IPs, and enable logging and monitoring for unusual activity. Regularly auditing and securing RFC destinations is vital to prevent misuse and safeguard SAP systems.
Additionally, it is recommended to secure the RFC enabled function modules using the Unified Connectivity (UCON) capability in SAP. Here is an interesting read about UCON and how it can be utilized:
https://togglenow.com/learnings/unified-connectivity-ucon-the-built-in-sap-cybersecurity-solution/
Conclusion:
Securing SAP systems with strong, well-managed passwords is a fundamental step in protecting critical business data and operations. Weak or poorly handled passwords can open the door to unauthorized access, data breaches, and compliance violations. By enforcing robust password policies, avoiding hardcoded credentials, disabling outdated password hashes, and regularly auditing user authentication practices, organizations can significantly reduce their attack surface. Password security should not be viewed as a one-time effort, but as an ongoing part of a broader cybersecurity strategy. Investing in password hygiene today strengthens the overall resilience of your SAP landscape for the future.
Question for You: What’s the worst password you’ve seen in an enterprise system? Drop it in the comments!
