Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems and stay ahead of emerging threats.
Our Threat Intelligence team provides continuous monitoring and expert analysis of the latest SAP Security Notes and vulnerabilities. This repository serves as a critical resource for SAP Basis and Security teams to identify, prioritize, and remediate flaws in S/4HANA, ECC, and other SAP solutions. By delivering structured advisories on security notes and high-priority patches, we help organizations reduce their mean-time-to-remediation (MTTR) and protect mission-critical SAP solutions from exploitation.
SAP’s May 2025 security advisories feature a critical zero-day vulnerability in SAP NetWeaver AS Java, alongside high-priority patches for S/4HANA and SAP Supplier Relationship Management (SRM). The most urgent update, hot news note 3594142, addresses a missing authorization check that is under active exploitation. This month’s security notes require immediate attention from administrators to mitigate
SAP’s 24-month rule dictates that corrective fixes for many vulnerabilities are only provided for support packages released within the last two years. This policy primarily affects security notes for issues discovered internally by SAP and means that systems running on older support packages will not receive these specific patches, requiring a full upgrade instead. Regular
SAP’s April 2025 security update addresses several critical and high-risk vulnerabilities, led by a command injection flaw in S/4HANA that could allow full system compromise. Other significant patches fix an authentication bypass in SAP Financial Consolidation and two information disclosure vulnerabilities in SAP BusinessObjects and NetWeaver AS ABAP. This month’s security notes require immediate attention
SAP’s security notes for March 2025 address several high-priority vulnerabilities across its product landscape. The patches include a high-risk missing authorization check in SAP NetWeaver AS ABAP, a Cross-Site Scripting (XSS) flaw in SAP Commerce, an authentication bypass in SAP Approuter, and multiple issues in SAP Commerce Cloud stemming from a vulnerable version of Apache
SAP’s February 2025 Security Patch Day addressed several high-priority vulnerabilities across its product portfolio. The updates include patches for a high-risk cross-site scripting (XSS) flaw in SAP NetWeaver AS Java, an information disclosure vulnerability in SAP BusinessObjects, a path traversal issue in SAP Supplier Relationship Management, and an open redirect vulnerability in SAP HANA. The
Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that enables attackers to exploit authentication weaknesses in the platform to compromise credentials in internal RFC communications and execute commands using the stolen credentials. The vulnerability carries a CVSS base score of 9.9/10. The attack vectors to exploit the
Hot news note 3536965 addresses multiple high risk vulnerabilities in Adobe Document Services (ADS) of SAP NetWeaver Application Server for JAVA (AS Java). This includes vulnerabilities for Server-Side Request Forgery (SSRF) and information disclosure. ADS should be updated to the recommended patch levels detailed in the note. There are no workarounds provided by SAP. Note
Note 3520281 patches a high priority Cross-Site Scripting (XSS) vulnerability in the SAP Web Dispatcher. The vulnerability can be exploited by attackers to execute arbitrary code and fully compromise Web Dispatcher installations. The vulnerability impacts users accessing the administration UI with a browser. The administration UI can be disabled as a workaround. This can be
Hot news note 3479478 was updated for a critical missing authentication check in SAP BusinessObjects (BOBJ) Business Intelligence Platform. The vulnerability can be exploited to compromise logon tickets used for Single Sign-On. The update provides a fix for BOBJ 4.2 SP009. The notes includes details of a workaround that will disable trusted authentication in the
Note 3459935 was updated in September with revised solution details to patch a high priority information disclosure vulnerability in SAP Commerce Cloud. Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, to be included in the request URL as query or path parameters. The impacted endpoints are
Hot news note 3477196 deals with a critical Server-Side Request Forgery (SSRF) vulnerability in applications built with SAP Build Apps. SAP Build Apps are vulnerable to CVE-2024-29415 due to the use of an older version of an Nodejs library included in software components for AppGyver. AppGyver is an open-source development platform used by SAP Build
Note 3483344 addresses a high-risk missing authentication check in SAP Product Design Cost Estimation (PDCE), included in the S4CORE component of SAP S/4HANA. The vulnerability can be exploited to escalate privileges and read sensitive information. The correction included in the note deactivates the affected functions to remove the vulnerability. There is no workaround provided by