T 5.128 Unauthorised data access by transferring code to an SAP system

If an attacker is able to insert ABAP code into an SAP system, data accesses without authorisation are possible, since the security of an SAP system must be implemented using the ABAP code.

Examples:

• Within the framework of a software update, a developer installs his/her own additional code to an SAP system, with this code granting remote access to all programs on the SAP system.
• An attacker from the outside manages to store his/her own transport files in the SAP transport directory due to a vulnerability in an application developed in-house at the company. These files are then accessed and installed without being examined in advance and can cause damage this way.