Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems and stay ahead of emerging threats.
Our Threat Intelligence team provides continuous monitoring and expert analysis of the latest SAP Security Notes and vulnerabilities. This repository serves as a critical resource for SAP Basis and Security teams to identify, prioritize, and remediate flaws in S/4HANA, ECC, and other SAP solutions. By delivering structured advisories on security notes and high-priority patches, we help organizations reduce their mean-time-to-remediation (MTTR) and protect mission-critical SAP solutions from exploitation.
On April 22, ReliaQuest released details of a zero-day vulnerability that the company discovered during investigations into customer incidents involving the upload and execution of malicious files in SAP NetWeaver Java systems. According to the findings of the investigation, threat actors were able to take full control of the target systems by exploiting a vulnerability
Hot news 3581961 patches a critical command injection vulnerability in SAP S/4HANA. Attackers can exploit a vulnerable remote-enabled function module using RFC to create a backdoor that bypasses authorization checks and provides full administrative access to the system. All releases of S/4HANA on-premise and private cloud are impacted. Corrections are included in the support package
Note 3563927 addresses a high-risk missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The correction included in the note restricts the ability to execute development functions using transaction SA38 from the ABAP Class Builder. SA38 enables program execution in AS ABAP. Authorization object S_PROGRAM
Note 3417627 was updated in February to patch a high-risk cross-site scripting vulnerability in the User Admin application of SAP NetWeaver AS Java. The vulnerability is to due to insufficient input validation and improper encoding. This allows an unauthenticated attacker to craft links containing malicious scripts. When a victim clicks on such a link, the
Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that enables attackers to exploit authentication weaknesses in the platform to compromise credentials in internal RFC communications and execute commands using the stolen credentials. The vulnerability carries a CVSS base score of 9.9/10. The attack vectors to exploit the
Hot news note 3536965 addresses multiple high risk vulnerabilities in Adobe Document Services (ADS) of SAP NetWeaver Application Server for JAVA (AS Java). This includes vulnerabilities for Server-Side Request Forgery (SSRF) and information disclosure. ADS should be updated to the recommended patch levels detailed in the note. There are no workarounds provided by SAP. Note
Note 3520281 patches a high priority Cross-Site Scripting (XSS) vulnerability in the SAP Web Dispatcher. The vulnerability can be exploited by attackers to execute arbitrary code and fully compromise Web Dispatcher installations. The vulnerability impacts users accessing the administration UI with a browser. The administration UI can be disabled as a workaround. This can be
Hot news note 3479478 was updated for a critical missing authentication check in SAP BusinessObjects (BOBJ) Business Intelligence Platform. The vulnerability can be exploited to compromise logon tickets used for Single Sign-On. The update provides a fix for BOBJ 4.2 SP009. The notes includes details of a workaround that will disable trusted authentication in the
Note 3459935 was updated in September with revised solution details to patch a high priority information disclosure vulnerability in SAP Commerce Cloud. Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, to be included in the request URL as query or path parameters. The impacted endpoints are
Hot news note 3477196 deals with a critical Server-Side Request Forgery (SSRF) vulnerability in applications built with SAP Build Apps. SAP Build Apps are vulnerable to CVE-2024-29415 due to the use of an older version of an Nodejs library included in software components for AppGyver. AppGyver is an open-source development platform used by SAP Build
Note 3483344 addresses a high-risk missing authentication check in SAP Product Design Cost Estimation (PDCE), included in the S4CORE component of SAP S/4HANA. The vulnerability can be exploited to escalate privileges and read sensitive information. The correction included in the note deactivates the affected functions to remove the vulnerability. There is no workaround provided by
Note 3460407 patches a high priority denial of service vulnerability in the Meta Model Repository of SAP NetWeaver Application Server Java (AS Java). The vulnerability impacts version 7.50 of the software component MMR_SERVER. There are no workarounds available. Note 3457592 deals with reflected and stored cross-site scripting vulnerabilities SAP Financial Consolidation reported in CVE-2024-37177 and