Version 5.3 of the Cybersecurity Extension for SAP (CES) is now available, delivering major enhancements for SAP vulnerability management and threat detection. This release introduces comprehensive monitoring for the SAP Cloud Connector, updates to key compliance frameworks including SAP RISE, and emergency patches for zero-day vulnerabilities like CVE-2025-31324.
The latest release of the Cybersecurity Extension for SAP (CES), version 5.3, provides critical new capabilities for securing hybrid SAP landscapes. A primary focus of this update is the introduction of detailed security monitoring for the SAP Cloud Connector, an essential component that links on-premise systems with SAP BTP applications. CES now detects and alerts on a wide range of security-related events within the Connector, such as configuration changes, administrator account modifications, and adjustments to connected systems, with all alerts being integrable with SIEM solutions. In addition to these threat detection patterns, the release strengthens compliance management by supporting concurrent analysis for multiple systems and updating frameworks for SAP RISE, the SAP Security Baseline, and HIPAA. Version 5.3 also incorporates proactive security measures, including emergency updates for the CVE-2025-31324 zero-day vulnerability and new checks for both OS command execution via sapxpg and the discovery of out-of-maintenance software components based on SAP’s 24-month rule.
Key Takeaways
- SAP Cloud Connector Monitoring: Detects indicators of compromise in the SAP Cloud Connector, including configuration and account changes.
- Compliance Framework Updates: Includes updated checks for SAP RISE, SAP Security Baseline, and HIPAA frameworks.
- Zero-Day Vulnerability Patching: Incorporates emergency updates for vulnerabilities like CVE-2025-31324 in SAP AS Java.
- OS Command Execution Checks: Adds extended checks for the execution and logging of OS commands performed via
sapxpg. - Out-of-Maintenance Software Discovery: Identifies SAP software components that are no longer receiving security patches under the 24-month rule.
- SIEM Integration: All new alerts, including those from the Cloud Connector, can be integrated with centralized SIEM solutions.
How Does Version 5.3 Enhance SAP Cloud Connector Security?
Version 5.3 introduces patterns for detecting indicators of compromise within the SAP Cloud Connector, which acts as a reverse proxy linking SAP BTP applications to on-premise systems. The new release of CES generates alerts for numerous security-relevant events in the Cloud Connector. These include configuration changes, modifications to the Administrator account and passwords, changes to connected BTP subaccounts and backend systems, trace activation, logging and auditing settings, role changes, and updates to certificates, LDAP, and SNC. These alerts can be seamlessly integrated with SIEM solutions for centralized monitoring and rapid incident response.
What Compliance Frameworks Are Updated?
The new release enhances compliance management by supporting concurrent analysis across multiple systems. It also features significant updates for several key frameworks. The requirements for the SAP RISE, SAP Security Baseline, and HIPAA frameworks have been refreshed. This includes updates to mandatory security parameters and hardening requirements for SAP RISE customers, as defined by SAP Enterprise Cloud Services (ECS) in June.
How Does CES 5.3 Address Recent Zero-Day Vulnerabilities?
Version 5.3 includes emergency updates that were previously released to address the zero-day vulnerability CVE-2025-31324. These updates provide patterns for detecting both attempted and successful exploitation of this critical vulnerability in SAP AS Java, allowing security teams to respond proactively to emerging threats.
What Are the New Checks for OS Command Execution?
Extended checks have been introduced for the execution and logging of operating system commands performed by the sapxpg program. sapxpg is a program controller that executes external commands from SAP at the OS level. The enhanced monitoring in CES 5.3 provides greater visibility into this activity to detect potentially malicious behavior.
How Does CES 5.3 Detect Out-of-Maintenance SAP Software?
This version adds checks to discover software components in SAP solutions that are out of maintenance. According to SAP’s general maintenance strategy, known as the “24-month rule,” support package notes are only delivered for support packages shipped within the last 24 months. Software components on older support package levels do not receive fixes for low, medium, and high severity vulnerabilities. CES 5.3 identifies these components, highlighting where an SP upgrade is necessary to address security gaps.
Frequently Asked Questions (FAQ)
What is the SAP Cloud Connector?
The SAP Cloud Connector is an agent that serves as a secure link between SAP Business Technology Platform (BTP) applications and on-premise SAP systems. It functions as a reverse proxy, allowing internal systems to connect to BTP services without being directly exposed to external access.
What is the SAP 24-month rule?
The 24-month rule is SAP’s maintenance policy stating that SAP only provides support package notes (security fixes) for support packages that were shipped within the last 24 months. Systems with components on older support packages may be vulnerable as they no longer receive these security updates.
Can CES 5.3 alerts be sent to a SIEM?
Yes, the alerts generated by the Cybersecurity Extension for SAP, including the new alerts for the SAP Cloud Connector, can be integrated with Security Information and Event Management (SIEM) solutions for centralized security monitoring.