Skip to Content
Author's profile photo Former Member

SAP Unknown Default Password for TMSADM

SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.

Carrying out SAP security audit for a client, we came across an unknown password of the user TMSADM. The password was displayed by the system itself: during the default accounts analysis, the following results were obtained in the known report RSUSR003.


The default password for TMSADM — PASSWORD — really is well known, but this is the first time I have seen the password $1Pawd2&. Let’s sort it out…

The first thing that comes to your mind is to search on the Internet. Google gives two references. The SAP website, six. None of them clarifies the matter: the mysterious password is mainly discovered in published fragments of the ABAP code.

Apparently, we should look for the answers in the code. We open the source code of the report RSUSR003 and have no difficulty in finding the message we’ve seen on the screen before (message 028).


We also find default passwords hashes that are implemented to the program source text. Interestingly enough that there are two groups of hashes for the user TMSADM: one for the password PASSWORD and another for $1Pawd2&. Here they are (they might be useful for audit, penetration testing etc.).

   lc_ewa TYPE xucode VALUE ’13C810002A147DEE’,
   lc_ewb TYPE xucode VALUE ‘BD5E494D3ECBF5E2’,
   lc_ewd TYPE xucode VALUE ‘573822832DF89B9C’,
   lc_ewe TYPE xucode VALUE ‘B3ADDFE95DCD036F’,
   lc_ewf1 TYPE hash160x VALUE ‘924127D88EE3C1820A2C88495EC4825E819C9249’,
   lc_ewf2 TYPE hash160x VALUE ‘760293CCD7AC111298A7AC70D3304242E442320F’,
   lc_cpa TYPE xucode VALUE ‘FC49DBF6F3FDCF36’,
   lc_cpb TYPE xucode VALUE ‘7D806C248F03813D’,
   lc_cpd TYPE xucode VALUE ’35C7AB28316EA22F’,
   lc_cpe TYPE xucode VALUE ‘5A5F45726821A147’,
   lc_cpf1 TYPE hash160x VALUE ’57CF364A7D83FA563025C7BCFFFB3B579DFB23F3′,
   lc_cpf2 TYPE hash160x VALUE ’38AE55102813F3BBBC3B3BCA09285ED5A9E0423F’,
   lc_dda TYPE xucode VALUE ‘5FA752863FB70BA9’,
   lc_ddb TYPE xucode VALUE ’61D26428640DBAB5′,
   lc_ddd TYPE xucode VALUE ‘DCA44BB71C073A05’,
   lc_dde TYPE xucode VALUE ’08FA7683A46D9AA9′,
   lc_ddf TYPE hash160x VALUE ‘905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45’,
*  SAP*
   lc_saa TYPE xucode VALUE ‘C75E6D9600AB5710’,
   lc_sab TYPE xucode VALUE ‘D0BFF4276DA1E208’,
   lc_sad TYPE xucode VALUE ‘A83ECB9EC4D34C08’,
   lc_sae TYPE xucode VALUE ‘95984B6A25BA20E9’,
   lc_saf TYPE hash160x VALUE ‘8948310AF768FA9061598E8F68FD144CE65B7480’,
   lc_tms1a TYPE xucode VALUE ‘7671D2F2729F27F0’,
   lc_tms1b TYPE xucode VALUE ‘942B9DC0F2394D85’,
   lc_tms1d TYPE xucode VALUE ‘7C6433CE69099272’,
   lc_tms1e TYPE xucode VALUE ‘940BAB0E12A36DC2’,
   lc_tms1  TYPE hash160x VALUE ‘C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF’,
   lc_tms2a TYPE xucode VALUE ’05CB79BE189802A0′,
   lc_tms2b TYPE xucode VALUE ‘B7E2F82C0A3E54C4’,
   lc_tms2d TYPE xucode VALUE ‘4DD4438D3C19138C’,
   lc_tms2e TYPE xucode VALUE ‘D527A90BC0CAF484’,
   lc_tms2  TYPE hash160x VALUE ‘A6BF38EE57F90B78C8D88A5212BBF1BA9A966ABB’

  1. Note. There are 5 hashes for every account: one for every hashing algorithm used in SAP (A, B, D, E, F). Some accounts (CPIC, EARLYWATCH) each have two password hashes for the F algorithm: for passwords in upper and lower case.

Now we can remember that there was no information on the transport management system user TMSADM in previous versions of the RSUSR003 report. As we can see, there’s no such account in the analysis results output.


Apparently, the report has recently been revised and new versions contain information on default passwords and TMSADM password. It has been revised… And a new unknown password has appeared. Checking. Let’s see the very beginning of the source code: it usually has information on updates and amendments that were made.


The very last update of the source code is related to adding user checks. For more information let’s see the note (issued in a month following the code changing, on April 27, 2011).


Everything is confirmed. In early 2011, SAP developers made changes to the report RSUSR003, added checks for the user TMSADM providing two possible passwords: PASSWORD and $1Pawd2&.

Conclusions we can draw:

  1. 1. While carrying out the SAP systems security audit, the existence of another default password for TMSADM should be taken into account. Make sure that the used password differs from the two default passwords. (Password $1Pawd2& was discovered in 2 of our test benches, so it can be easily found in your system.)
  2. 2. Specialists responsible for the security of their own SAP systems should implement note 1552894 to make sure default passwords for the system users were changed, including the one for the user TMSADM.

Authors: Dmitry Gutsko, Positive Research

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Frank Buchholz
      Frank Buchholz

      Some additional remarks:

      • The user TMSADM is only required in client 000.
      • The user TMSADM should have user type B=System (by the way: forget user type C, as it's never required anymore. Use user type B for all background and all remote users.)
      • The user TMSADM should only have authorization profile S_A.TMSADM, but no other profile, role or reference user assignment.

      Here is an overview about the most important notes concerning user TMSADM.

      White Papers:

      Secure Configuration of SAP NetWeaver Application Server Using ABAP
      Version 1.2 January 2012

      Documentation / Implementation:

      Note 1515926 - Update #1 to Security Note 1414256

      Note 1414256 - Changing TMSADM password is too complex

      Note 1488406 - Handling the generated user TMSADM

      Note 1486759 - Blocking unauthorized access to system using TMSADM to 4.6B

      Note 761637 - Logon restrictions prevent TMSADM logon

      Related Topics:

      Note 1726102 - EWA: "Default Passwords of Standard Users": User TMSADM

      Note 1552894 - RSUSR003: Checking the standard password for user TMSADM

      Note 863362 - Security checks in the SAP EarlyWatch Alert

      Consulting Service (which would include the handling of the TMS):

      Note 1504652 - Consulting: Secure Configuration of Application Server ABAP

      Mit freundlichen Grüßen / Kind regards
      Frank Buchholz
      Active Global Support - Security Services

      Security Optimization Service
      Security Patch Process FAQ
      Security Notes
      System Recommendations for Security Notes
      Configuration Validation

      Community / Forum / Blogs @ SCN
      Identity Management
      Governance, Risk, and Compliance

      HANA Security